[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Converting an inline-signed zone to unsigned
From: Alan Clegg <alan () clegg ! com>
Date: 2014-02-19 18:58:01
Message-ID: 5304FEB9.80601 () clegg ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 2/19/14, 8:59 PM, Chris Thompson wrote:
> What is the right way ... or maybe I should be asking IS there a right
> way ... to change a zone that has been signed by inline signing (i.e. with
> "inline-signing yes; auto-dnssec maintain;" in it zone statement) to
> unsigned?
>
> When I change the zone statement to remove the inline signing part, and
> update the SOA serial in the zone file for good measure, and then do
> either "rndc reload" or "rndc reconfig", I get messages like
>
> named[22954]: general: error: zone playground.test/IN:
> journal rollforward failed: journal out of sync with zone
> named[22954]: general: error: zone playground.test/IN:
> not loaded due to errors.
>
> and the zone goes into SERVFAIL state.
>
> The only way I found out of this was to remove the [zone-file].signed
> and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
> Surely there must be something better than that?
>
Have you tried setting "dnssec-secure-to-insecure" then setting all of
the keys to deleted?
AlanC
["signature.asc" (application/pgp-signature)]
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic