Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Mark Andrews Newsgroups: comp.protocols.dns.bind Subject: Re: Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones Date: Wed, 2 Sep 2020 08:38:00 +1000 Lines: 58 Approved: bind-users@lists.isc.org Message-ID: References: <6AB3E1D2-2192-4E34-A1E9-F9157EC222CF@isc.org> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\)) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1598999888 555 149.20.1.60 (1 Sep 2020 22:38:08 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users@lists.isc.org To: duncan@isn-portal.de Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: X-Mailer: Apple Mail (2.3445.9.6) X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <6AB3E1D2-2192-4E34-A1E9-F9157EC222CF@isc.org> X-Mailman-Original-References: Xref: csiph.com comp.protocols.dns.bind:16086 Do you go to your mechanic and not take the car when you have a problem = you don=E2=80=99t understand with the car? BIND 9.16.4 should be a drop in replacement for 9.14.12. As you are = seeing issues you will need to supply more details like the name of the = zone so people can actually try and figure out what the issue is. Mark=20 > On 2 Sep 2020, at 01:06, Duncan wrote: >=20 > I am using DNSSEC for more than 5 years now (never had a problem so = far), but after upgrading to the latest bind-9.16.4 the verification = fails using Verisign's DNSSEC Validator. > =20 > I reverted back to 9.14.12 and everything works as expected. > =20 > First I started upgrading my secondary DNS-Server (primary left = untouched !!!) to 9.16.4 - restarted named and everything seems to be = OK. > =20 > So I tested with Verisign's DNSSEC Validator = https://dnssec-analyzer.verisignlabs.com/ before upgrading my primary = DNS. > =20 > And Verisign reported an error -> All Queries to = secondary.my-dnsserver-domain.com for my-domain.com/Atimed out or failed > =20 > Test Results: https://ibb.co/7QLVJsC > =20 > Any ideas? =E2=80=A6or should I upgrade both servers before I do my = first test (not only the secondary server)? As I said, I only updated my = secondary server and left my primary server untouched! > =20 > Are there any related upgrade issues from from 9.14.12 to 9.16.4, = which I should take care first (do I have to update something in my = configs)? Is it possible to keep my already signed zones of my 9.14.12 = installation? Or do I have to re-sign anything? > =20 > =20 > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list >=20 > ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information. >=20 >=20 > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org