Dnssec resign zone

S

sx00199

Verified User
Joined
Nov 16, 2004
Messages
17
Hi there,

I have a setup with DirectAdmin being the primary dns and an external secondary slave.
The secondary nameserver, will only update its zone when the serial number at the primary dns (directadmin box) has changed.

However,
When directadmin resigns the zone because of the expired dnssec signature, the serial number stays the same.

Do we have a script we can run after the tally has been done for the resign to update the serial?

Kind regards,
Marcel
 
echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue
Click to expand...

This will update the serial and should trigger the transfer to the slave.

I'm not using dnssec myself yet, but maybe the serial should be updated automatically? (so it would be feature request)
 
I do know about that command....I just need to have it fired after the resign which is automatically.
I don't know when the automatic resign will occur, so was looking for an post_dnssec script or something...
 
I'm not sure if that's the answer Alex. This should be only triggered after the complete dnssec signing has been completed, else I think it would run many times for nothing.

I've tried to look for a hook related to dnssec, haven't found any. I think it needs to be added.
 
Arieh, yes right you are, using the hook might not be the best solution here. According to this: http://www.directadmin.com/features.php?id=1525 the monthly reset will re-sign the zones automatically, and the monthly reset is done with cron and /usr/local/directadmin/datataskq Will it trigger dns_write_post.sh at all? Did not tested myself yet.

Then I'd state another question, should the serial number stay the same or change on zone resigning?

Probably related bug http://www.directadmin.com/features.php?id=1536

Anyway if it's a feature request I'd rather move the thread in a proper sub-forum.
 
Thanks for the report. I've been able to duplicate the bug.

Was because DA reads /var/named/domain.com.db, updates the loaded serial and writes the +1 to /var/named/domain.com.db.signed.
The original zone didn't get an updated serial, thus the +1 keeps being set to the same value over and over.
So it "is" updating, but just being set to the same "new" value repeatedly.

I've updated the code to issue a zone rewrite first, so the serial gets updated.

Related fix:
https://www.directadmin.com/features.php?id=1805

I should have the pre-release binaries updated in about 20 minutes.

John
 
You must log in or register to reply here.
Back
Top