Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!news.lightlink.com!usenet.osg.ufl.edu!usenet.stanford.edu!not-for-mail From: Michael Graff Newsgroups: comp.protocols.dns.bind Subject: Re: OT: Bind 9.9.0B1 Inline-Signing Question Date: Thu, 10 Nov 2011 14:42:59 -0600 Lines: 190 Approved: bind-users@lists.isc.org Message-ID: References: <50332557F96B4E48BF3FD9B57AA82C220B8F9B@CH1PRD0402MB120.namprd04.prod.outlook.com> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (1.0) Content-Type: multipart/alternative; boundary=Apple-Mail-028B356A-35FC-4C55-8ADB-32E62DF14DBF Content-Transfer-Encoding: 7bit X-Trace: usenet.stanford.edu 1320957799 19901 149.20.64.75 (10 Nov 2011 20:43:19 GMT) X-Complaints-To: action@cs.stanford.edu Cc: "bind-users@lists.isc.org" To: "McConville, Kevin" Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: <50332557F96B4E48BF3FD9B57AA82C220B8F9B@CH1PRD0402MB120.namprd04.prod.outlook.com> X-Mailer: iPad Mail (9A334) X-Spam-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE, MIME_QP_LONG_LINE,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx.ams1.isc.org X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: x330-a1.tempe.blueboxinc.net comp.protocols.dns.bind:93 --Apple-Mail-028B356A-35FC-4C55-8ADB-32E62DF14DBF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Do you see that each time named starts or just on the first load of the zone= ? What happens if you send a query to the server with dig +dnssec? On Nov 10, 2011, at 14:23, "McConville, Kevin" wrot= e: > I know that this isn=E2=80=99t the forum for betas, which is why I put off= -topic on the subject line. We are trying to implement DNSSEC for our stati= c zones. While the dynamic signing has been automated, static inline-signing= isn=E2=80=99t available until Bind 9.9 > =20 > We have been testing with the alphas and now with the beta. What we are se= eing is that whenever named starts, it initially creates the signed static z= one file, but never really finishes. The logging shows: > =20 > 10-Nov-2011 14:38:14.766 general: error: zone xxxxxx.org/IN (signed): not l= oaded due to errors. > 10-Nov-2011 14:38:14.766 general: info: zone localhost/IN: loaded serial 4= 2 > 10-Nov-2011 14:38:14.767 general: notice: all zones loaded > 10-Nov-2011 14:38:14.768 general: notice: running > 10-Nov-2011 14:38:14.768 general: info: zone xxxxxx.org/IN (signed): loade= d serial 2011110905 > 10-Nov-2011 14:38:14.768 notify: info: zone xxxxxx.org/IN /IN (signed): se= nding notifies (serial 2011110905) > =20 > So, it doesn=E2=80=99t load the zone due to errors, but then later claims t= o load the same zone file. > =20 > Has anyone been able to get the inline-signing function to work? I=E2=80=99= ve triple-checked my named.conf, ran named-checkzone, went to a vanilla zone= file, and even tested the zone file as dynamic (which worked). > =20 > Any ideas or suggestions of where to check next are greatly appreciated. > =20 > Thanks, > =20 > -Kevin > =20 > Kevin McConville > University at Albany > =20 > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr= ibe from this list >=20 > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users --Apple-Mail-028B356A-35FC-4C55-8ADB-32E62DF14DBF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Do you see that each time n= amed starts or just on the first load of the zone?  What happens if you= send a query to the server with dig +dnssec?


<= br>On Nov 10, 2011, at 14:23, "McConville, Kevin" <kmcconville@albany.edu> wrote:

=
=

I know that this isn=E2=80=99t the forum for betas, w= hich is why I put off-topic on the subject line.  We are trying to impl= ement DNSSEC for our static zones. While the dynamic signing has been automa= ted, static inline-signing isn=E2=80=99t available until Bind 9.9

 

We have been testing with the alphas and now with the= beta. What we are seeing is that whenever named starts, it initially create= s the signed static zone file, but never really finishes. The logging shows:=

 

10-Nov-2011 14:38:14.766 general: error: zone xxxxxx.org/IN (signed): not loaded due to erro= rs.

10-Nov-2011 14:38:14.766 general: info: zone localhos= t/IN: loaded serial 42

10-Nov-2011 14:38:14.767 general: notice: all zones l= oaded

10-Nov-2011 14:38:14.768 general: notice: running

10-Nov-2011 14:38:14.768 general: info: zone xxxxxx.org/IN (signed): loaded serial 2011110905<= o:p>

10-Nov-2011 14:38:14.768 notify: info: zone xxxxxx.org/IN /IN (signed): sending notifies (ser= ial 2011110905)

 

So, it doesn=E2=80=99t load the zone due to errors, b= ut then later claims to load the same zone file.

 

Has anyone been able to get the inline-signing  = function to work? I=E2=80=99ve triple-checked my named.conf, ran named-check= zone, went to a vanilla zone file, and even tested the zone file as dynamic (= which worked).

 

Any ideas or suggestions of where to check next are g= reatly appreciated.

 

Thanks,

 

-Kevin

 

Kevin McConville

University at Albany

 

____________________= ___________________________
Please visit https://lists.isc.org/mailman/lis= tinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman= /listinfo/bind-users
= --Apple-Mail-028B356A-35FC-4C55-8ADB-32E62DF14DBF--