[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-users
Subject:    Re: Converting an inline-signed zone to unsigned
From:       Alan Clegg <alan () clegg ! com>
Date:       2014-02-19 18:58:01
Message-ID: 5304FEB9.80601 () clegg ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 2/19/14, 8:59 PM, Chris Thompson wrote:
> What is the right way ... or maybe I should be asking IS there a right
> way ... to change a zone that has been signed by inline signing (i.e. with
> "inline-signing yes; auto-dnssec maintain;" in it zone statement) to
> unsigned?
> 
> When I change the zone statement to remove the inline signing part, and
> update the SOA serial in the zone file for good measure, and then do
> either "rndc reload" or "rndc reconfig", I get messages like
> 
> named[22954]: general: error: zone playground.test/IN:
>   journal rollforward failed: journal out of sync with zone
> named[22954]: general: error: zone playground.test/IN:
>   not loaded due to errors.
> 
> and the zone goes into SERVFAIL state.
> 
> The only way I found out of this was to remove the [zone-file].signed
> and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
> Surely there must be something better than that?
> 

Have you tried setting "dnssec-secure-to-insecure" then setting all of
the keys to deleted?

AlanC


["signature.asc" (application/pgp-signature)]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[prev in list] [next in list] [prev in thread] [next in thread]