Date: Thu, 11 Apr 2019 11:57:02 -0400 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-questions@freebsd.org Subject: DNSSEC signatures Message-ID: <4e016c879f783ffda0993eed80293863.squirrel@webmail.harte-lyne.ca>
next in thread | raw e-mail | index | archive | help
We run Bind-9.11.6 on FreeBSD-12 as a hidden server. We have DNSSEC
enabled for some of our domains. When we moved our zone files to a
FreeBSD host with bind-9.11 we set the zone configuration file to auto
maintain and to use inline signing for these zones.
zone "example.com" {
type master;
file "/usr/local/etc/namedb/master/example.com.hosts";
auto-dnssec maintain;
inline-signing yes;
};
The files in "/usr/local/etc/namedb/master/" relating to this are:
-rw-r--r-- 1 bind bind 479 Feb 19 21:17
Kexample.com.+008+34923.key
-rw------- 1 bind bind 1200 Feb 19 21:17
Kexample.com.+008+34923.private
-rw-r--r-- 1 bind bind 609 Mar 12 12:59
Kexample.com.+008+37852.key
-rw------- 1 bind bind 1776 Mar 12 12:59
Kexample.com.+008+37852.private
-rw-r--r-- 1 bind bind 479 Mar 12 12:59
Kexample.com.+008+55431.key
-rw------- 1 bind bind 1200 Mar 12 12:59
Kexample.com.+008+55431.private
-rw-r--r-- 1 bind bind 171 Mar 12 12:59 dsset-example.com.
-rw-r--r-- 1 bind bind 1138275 Mar 12 12:59 example.com.hosts
-rw-r--r-- 1 bind bind 512 Mar 22 17:28 example.com.hosts.jbk
-rw-r--r-- 1 bind bind 1230649 Apr 3 08:51 example.com.hosts.signed
-rw-r--r-- 1 bind bind 4268062 Apr 10 18:57
example.com.hosts.signed.jnl
When I run named-checkconfig I get this:
named-checkzone -j example.com
/usr/local/etc/namedb/master/example.com.hosts
/usr/local/etc/namedb/master/example.com.hosts:389: TTL set to prior
TTL (300)
/usr/local/etc/namedb/master/example.com.hosts:2014: signature has
expired
zone example.com/IN: brockley-2016.example.com/NS
'samba-67.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: brockley-2016.example.com/NS
'samba-68.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: brockley-2016.example.com/NS
'samba-69.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: loaded serial 2019030501 (DNSSEC signed)
There are no other problems with these zones, yet. Does anyone know
what steps that I have not taken that are required to get automatic
inline zone resigning to work?
Thanks
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4e016c879f783ffda0993eed80293863.squirrel>