DNSSEC signatures

James B. Byrne byrnejb at harte-lyne.ca
Thu Apr 11 15:57:23 UTC 2019 

We run Bind-9.11.6 on FreeBSD-12 as a hidden server. We have DNSSEC
enabled for some of our domains.  When we moved our zone files to a
FreeBSD host with bind-9.11 we set the zone configuration file to auto
maintain and to use inline signing for these zones.

  zone "example.com" {
  type master;
    file "/usr/local/etc/namedb/master/example.com.hosts";
    auto-dnssec maintain;
    inline-signing yes;
  };

The files in "/usr/local/etc/namedb/master/" relating to this are:

-rw-r--r--  1 bind  bind      479 Feb 19 21:17
Kexample.com.+008+34923.key
-rw-------  1 bind  bind     1200 Feb 19 21:17
Kexample.com.+008+34923.private
-rw-r--r--  1 bind  bind      609 Mar 12 12:59
Kexample.com.+008+37852.key
-rw-------  1 bind  bind     1776 Mar 12 12:59
Kexample.com.+008+37852.private
-rw-r--r--  1 bind  bind      479 Mar 12 12:59
Kexample.com.+008+55431.key
-rw-------  1 bind  bind     1200 Mar 12 12:59
Kexample.com.+008+55431.private
-rw-r--r--  1 bind  bind      171 Mar 12 12:59 dsset-example.com.
-rw-r--r--  1 bind  bind  1138275 Mar 12 12:59 example.com.hosts
-rw-r--r--  1 bind  bind      512 Mar 22 17:28 example.com.hosts.jbk
-rw-r--r--  1 bind  bind  1230649 Apr  3 08:51 example.com.hosts.signed
-rw-r--r--  1 bind  bind  4268062 Apr 10 18:57
example.com.hosts.signed.jnl

When I run named-checkconfig I get this:

named-checkzone -j example.com
/usr/local/etc/namedb/master/example.com.hosts
/usr/local/etc/namedb/master/example.com.hosts:389: TTL set to prior
TTL (300)
/usr/local/etc/namedb/master/example.com.hosts:2014: signature has
expired
zone example.com/IN: brockley-2016.example.com/NS
'samba-67.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: brockley-2016.example.com/NS
'samba-68.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: brockley-2016.example.com/NS
'samba-69.brockley-2016.example.com' (out of zone) has no addresses
records (A or AAAA)
zone example.com/IN: loaded serial 2019030501 (DNSSEC signed)

There are no other problems with these zones, yet.  Does anyone know
what steps that I have not taken that are required to get automatic
inline zone resigning to work?

Thanks

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list