0

I'm using BIND 9.16 new dnssec-policy feature on my zones, following the guide to enable DNSSEC. Everything worked like a charm. Now, I need to add another record to one of my zones, but after editing the zone file on /var/lib/bind/db.mydomain.com and using:

rndc reload
systemctl restart bind9

my .key file Kmydomain.com.xxxx.key is not being updated and on the logs, I see messages with the old serial for the zone (signed) and the new serial for the zone (unsigned).

Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (unsigned): loaded serial 2021100801
...
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): loaded serial 2021100607 (DNSSEC signed)
...
Oct  8 13:07:04 bind named[622]: all zones loaded
Oct  8 13:07:04 bind named[622]: running
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): receive_secure_serial: unchanged
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): sending notifies (serial 2021100607)
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): reconfiguring zone keys
...
Oct  8 13:07:04 bind named[622]: zone mydomain.com/IN (signed): next key event: 08-Oct-2021 17:59:00.636

Reading the docs, I can't find references to a manual step to ask BIND to resign my zone, and I would like to know how to proceed.

My zone for the domain on /etc/bind/named.conf.local is

zone "mydomain.com" in {
    type master;
    file "/var/lib/bind/db.mydomain.com";
    allow-transfer { 123.123.123.123; };
    also-notify { 123.123.123.123; };
    dnssec-policy default;
};
André Casteliano
  • 101
  • [Did you read teh Manual?](https://bind9.readthedocs.io/en/latest/advanced.html) – djdomi Oct 08 '21 at 14:39
  • It is not clear why you need to "resign". You say you add a record (which one?) and then you say your keyfile is not updated, what does that mean? Did you see this in documentation: "By default, the key directory is checked for changes every 60 minutes; this period can be adjusted with dnssec-loadkeys-interval, up to a maximum of 24 hours. The rndc loadkeys command forces named to check for key updates immediately." `rndc sign` can give you various insights on what is currently happening inside bind when it maintains the DNSSEC status automatically (it decides itself what and when to sign) – Patrick Mevzek Oct 08 '21 at 17:39
  • Sorry if I was not clear, english is not my main language. I waited over 4 hours before sending the original question, so I don't think it was just a matter of waiting for BIND. I'm using the default paths ( /etc/bind, /var/lib/bind, /var/cache/bind ) and everything works fine, I just could not get BIND to "see" the changes I made to the zone file and generate a new signed zone – André Casteliano Oct 08 '21 at 18:12

1 Answers1

0

In the end I used the "nuclear" option of removing the K* files for mydomain.com from /var/cache/bind/

rm -f /var/cache/bind/Kmydomain.com.*

Followed by restarting BIND

rndc reload
systemctl restart bind9

I had to generate a new DS record and update it on my parent DNS server, but I could not wait any longer.

If you know how to properly ask BIND to generate new (key/private/state) files when editing zone files I really would like to know.

André Casteliano
  • 101