Solved Backup/restore of independent DNS zones only?

kristian

Verified User
Joined
Nov 4, 2005
Messages
436
Location
Norway
On a server we have a number of DNS zones, mainly reverse zones. We would like to move these zones to a new server, keeping all entries, and DNSSEC information. They are not connected to any user account, so the standard "Admin Backup/Transfer" doesn't seem to support them. Is there another way to perform some kind of admin backup/restore of these zones?
 
Not for stand-alone dns zones as far as I know, unless you use the multi-server setup, but that would transfer all dns zones.
So I think the best way is to rsync them over, however the named.conf sections must be done manually then.
Removing/adding the zones.
 
keeping all entries, and DNSSEC information
Not DNSSEC expert but I think it server specific. I belive it hold the IP address and keys on the said server.
unless you use the multi-server setup,
Does MSS transfer DNSSEC I dont think it does. but again I could be wrong.
Is there another way to perform some kind of admin backup/restore of these zones?
So these zones are unrelated to any account? You created them in the DNS admin tool? or by hand on the server.

If you could use the admin back tool you would un check use dns on this server
you might want to change this on target server
1618589987607.png
 
So these zones are unrelated to any account? You created them in the DNS admin tool? or by hand on the server.
Honestly I can't remember how I created them back then. It might have been manually, as long as DA still picks them up and displays them in its UI for me.

I think (or hope) the DNSSEC info is all inside the zone, so it should be safe to just copy all the relevant files over, and add the zone entry in named.conf manually. I will give it a try. Might need to update the serial number and/or force DA to re-sign the zone by making a dummy change to the zone. We'll see.
 
Just tried this now, and the good news is that copying the files over to the new server works like a charm. On my old server, I had these files for any given zone:

Code:
12.34.56.in-addr.arpa.db
12.34.56.in-addr.arpa.db.signed
12.34.56.in-addr.arpa.ksk.key
12.34.56.in-addr.arpa.ksk.private
12.34.56.in-addr.arpa.zsk.key
12.34.56.in-addr.arpa.zsk.private
dlvset-12.34.56.in-addr.arpa.
dsset-12.34.56.in-addr.arpa.

The dlvset- file I skipped, because it seems to be relevant only to dnssec-lookaside, which shouldn't be used any more. The rest of the files were rsynced over to my new server, and I then added the relevant zone entry to named.conf, such as:

Code:
zone "12.34.56.in-addr.arpa" { type master; file "/etc/bind/directadmin-zones/12.34.56.in-addr.arpa.db.signed"; };

I then updated the serial number by creating and then deleting a record in the zone. I did this through the DA WebUI just to ensure all the steps were done with re-signing and bind reloading, and everything works as it should after.
 
Back
Top