Join Log in
Score:0
avatar Server

How to force BIND 9.16 to resign my zones after editing zone file

se flag
André Casteliano

I'm using BIND 9.16 new dnssec-policy feature on my zones, following the guide to enable DNSSEC. Everything worked like a charm. Now, I need to add another record to one of my zones, but after editing the zone file on /var/lib/bind/db.mydomain.com and using:

rndc reload
systemctl restart bind9

my .key file Kmydomain.com.xxxx.key is not being updated and on the logs, I see messages with the old serial for the zone (signed) and the new serial for the zone (unsigned).

Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (unsigned): loaded serial 2021100801
...
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): loaded serial 2021100607 (DNSSEC signed)
...
Oct  8 13:07:04 bind named[622]: all zones loaded
Oct  8 13:07:04 bind named[622]: running
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): receive_secure_serial: unchanged
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): sending notifies (serial 2021100607)
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): reconfiguring zone keys
...
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): next key event: 08-Oct-2021 17:59:00.636

Reading the docs, I can't find references to a manual step to ask BIND to resign my zone, and I would like to know how to proceed.

My zone for the domain on /etc/bind/named.conf.local is

zone "mydomain.com" in {
    type master;
    file "/var/lib/bind/db.mydomain.com";
    allow-transfer { 123.123.123.123; };
    also-notify { 123.123.123.123; };
    dnssec-policy default;
};
334
0 + 0
djdomi avatar
za flag
djdomi
[Did you read teh Manual?](https://bind9.readthedocs.io/en/latest/advanced.html)
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
It is not clear why you need to "resign". You say you add a record (which one?) and then you say your keyfile is not updated, what does that mean? Did you see this in documentation: "By default, the key directory is checked for changes every 60 minutes; this period can be adjusted with dnssec-loadkeys-interval, up to a maximum of 24 hours. The rndc loadkeys command forces named to check for key updates immediately." `rndc sign` can give you various insights on what is currently happening inside bind when it maintains the DNSSEC status automatically (it decides itself what and when to sign)
0
Reply
se flag
André Casteliano
Sorry if I was not clear, english is not my main language. I waited over 4 hours before sending the original question, so I don't think it was just a matter of waiting for BIND. I'm using the default paths ( /etc/bind, /var/lib/bind, /var/cache/bind ) and everything works fine, I just could not get BIND to "see" the changes I made to the zone file and generate a new signed zone
0
Reply
Score:0
avatar Server
se flag
André Casteliano

In the end I used the "nuclear" option of removing the K* files for mydomain.com from /var/cache/bind/

rm -f /var/cache/bind/Kmydomain.com.*

Followed by restarting BIND

rndc reload
systemctl restart bind9

I had to generate a new DS record and update it on my parent DNS server, but I could not wait any longer.

If you know how to properly ask BIND to generate new (key/private/state) files when editing zone files I really would like to know.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.