Freeze/thaw and signed zone files

[@lbutlr]

I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw.

In var/log.messages I get

zone serial (2019020105) unchanged. zone may fail to transfer to slaves.

which is the previous serial number.

So, I tried to move the .signed file aside, thinking maybe thaw might recreate it, But no, it complains the file doesn’t exist, so I put it back.

Is it possible for me to edit the zone file (as in with vim) and have bind update, or do I have to do everything through nsupdate and never access the zone files directly?

At this point, how do I get the zone updated?

If I try to dig for the new subdomains that are in the zone, they do not resolve, and all the information in DNS is the information that was there on 21090201.

I am currently updating to bind912-9.12.3P1_3 to see if anything changes.

--
If you think that Mick Jagger will still be doing the whole rock star
thing at age fifty, well, then, you are sorely, sorely mistaken.

[Grant Taylor]

On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
> I edited a zone file after issuing a rndc freeze command, added two new
> sub zones, changed the serial number, saved the file, and then did an
> rndc thaw.

I don't see an "rndc flush <zone>" in there.

Which means that BIND likely still has the journal of the zone. And
BIND prefers the journal over the actual textual representation of the zone.

> zone serial (2019020105) unchanged. zone may fail to transfer to slaves.
>
> which is the previous serial number.

I would expect this if you edited the zone file and the journal file
wasn't flushed.

> So, I tried to move the .signed file aside, thinking maybe thaw might
> recreate it, But no, it complains the file doesn’t exist, so I put
> it back.

I don't think this is related to DNSSEC.

> Is it possible for me to edit the zone file (as in with vim) and have
> bind update, or do I have to do everything through nsupdate and never
> access the zone files directly?

Yes, it is certainly possible to edit zone files outside of BIND's control.

rndc freeze $ZONE
rndc flush $ZONE
$EDITOR $ZONE
rndc thaw $ZONE

I don't recall if reloading or thawing will automatically re-sign the
zone or if you need to also explicitly "rndc sign $ZONE".

> At this point, how do I get the zone updated?

Use the method above, or some sort of dynamic update.

> If I try to dig for the new subdomains that are in the zone, they do
> not resolve, and all the information in DNS is the information that was
> there on 21090201.

That sounds like the old contents of the zone which are still in the
journal file.

> I am currently updating to bind912-9.12.3P1_3 to see if anything changes.

I don't think changing the BIND version will change anything.



--
Grant. . . .
unix || die

[@lbutlr]

> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users <bind-...@lists.isc.org> wrote:
>
> On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
>> I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw.
>
> I don't see an "rndc flush <zone>" in there.

OK, but rndc flush example.com results in:

rndc: 'flush' failed: not found

> rndc freeze $ZONE
> rndc flush $ZONE
> $EDITOR $ZONE
> rndc thaw $ZONE

Other than the flush, that is what I did.

> I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE”.

Sign recreates the .jnl file, but doesn’t touch the .signed file.

Doing the following recreated the .signed file, but still didn’t add the new subdomains.

Freeze, flush, edit, thaw,

Then service named stop, service named start.

Had a previous subdomain gallery and it is listed in both the zone file and the signed file

Zone:
gallery CNAME www

zone.signed:
gallery CNAME www

Added a new sub zone, cam

Zone:
cam CNAME www

zone.signed:
<nothing>

This matches up with the results from dig. So, now I do have a .signed file that has the serial number updated to match the zone file, but still doesn’t contain the new sub zones.

So, I did the whole dance again. Freeze, flush, edit (change serial, add another subdomain, thaw, stop/start). Nothing. But the time stamp on the .signed file changes.

And I misspoke earlier, the serial number in the signed file’s SOA didn’t change, but the serial numbers/dates in the RRSIG did update.

--
This wasn't a proper land. The sky was blue, not flaming with all the
colours of the aurora. And time was passing. To a creature not born
subject to time, it was a sensation not unakin to falling. --Lords and
Ladies

[Noel Butler]

On 22/02/2019 07:03, @lbutlr via bind-users wrote:

I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE".

Sign recreates the .jnl file, but doesn't touch the .signed file.

Doing the following recreated the .signed file, but still didn't add the new subdomains.

Freeze, flush, edit, thaw,

Then service named stop, service named start.

 

 

 

freeze, edit, thaw, rndc_reload  is all thats needed

 

--

Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents

[Grant Taylor]

On 02/21/2019 02:03 PM, @lbutlr via bind-users wrote:
> OK, but rndc flush example.com results in:
>
> rndc: 'flush' failed: not found

*FACEpalm*

I'm sorry. I gave you the wrong command. You want "sync", not "flush".
My brain always thinks "flush the journal to disk" when it's really
supposed to be "sync the journal to disk". You can pass the optional
"-clean" command to cause BIND to remove the synced journal file.

"flush" is flushing caches, and you can optionally specify a view. I'm
guessing that you don't have a view named "example.com".

> Then service named stop, service named start.

When you use the proper commands, you don't need to restart the named
service. You can also use rndc reload without needing to restart the
named service.

[@lbutlr]

>> OK, but rndc flush example.com results in:
>> rndc: 'flush' failed: not found
>
> *FACEpalm*
>
> I'm sorry. I gave you the wrong command. You want "sync", not "flush". My brain always thinks "flush the journal to disk" when it's really supposed to be "sync the journal to disk". You can pass the optional "-clean" command to cause BIND to remove the synced journal file.
>
> "flush" is flushing caches, and you can optionally specify a view. I'm guessing that you don't have a view named "example.com".
>
>> Then service named stop, service named start.
>
> When you use the proper commands, you don't need to restart the named service. You can also use rndc reload without needing to restart the named service.

rndc reload did not recreate (or at least update the time stamp) on the .signed file.

But at no point do I get the new subdomains I added to the zone added to the zone.signed

I’ll try sync clean and see if I get further.

Nope, now the .signed file isn’t touched at all after the zone file is edited.

zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; };

So I am still with a zone file that contains two subdomains that are not represented in the .signed zone file, so do not load and nothing that I do seems to be able to recreate the .signed file with the correct information.

Is the original random key that was generated at the time of signing kept somewhere? NSEC3 seems to contain a 16 character hex sting that recurs throughout the file.

--
all your snowflakes are urine and you can't even find the cat

[@lbutlr]

On 21 Feb 2019, at 18:28, @lbutlr <kre...@kreme.com> wrote:
> Is the original random key that was generated at the time of signing kept somewhere? NSEC3 seems to contain a 16 character hex sting that recurs throughout the file.

OK, I moved aside the signed file, resigned the domain using the 16 character string I found repeated in the original .signed file and the dsset file contained the same strings, and the signed file was created anew and it contains the new subdomains. So, that immediate problem is solved.

First instance is on NSEC3PARAM parma line, so awk '/NSEC3PARAM 1/{ print $NF}’ zone.signed

--
people didn't seem to be able to remember what it was like with the
elves around. Life was certainly more interesting then, but usually
because it was shorter. And it was more colourful, if you liked the
colour of blood. --Lords and Ladies

[Grant Taylor]

On 2/21/19 6:28 PM, @lbutlr wrote:
> rndc reload did not recreate (or at least update the time stamp) on the
> .signed file.

Hum. Maybe it's something different about how you're doing DNSSEC than
I am.

I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I
don't get .signed files.

I was just able to do the following:

rndc freeze $ZONE
rndc sync -clean $ZONE
$EDITOR $ZONEFILE
rndc thaw $ZONE
rndc sign $ZONE

I did have to manually do the "rndc sign" for DNSViz to be happy with
the new test entry. I don't know if that's expected or not.

> But at no point do I get the new subdomains I added to the zone added
> to the zone.signed

The new record showed up exactly as expected.

Granted, I only added an A record and didn't create a new sub-domain.

> I’ll try sync clean and see if I get further.
>
> Nope, now the .signed file isn’t touched at all after the zone file
> is edited.
>
> zone "example.com" { type master; file "master/example.com.signed";
> update-policy local; auto-dnssec maintain; };

I don't have .signed files.

> So I am still with a zone file that contains two subdomains that are
> not represented in the .signed zone file, so do not load and nothing
> that I do seems to be able to recreate the .signed file with the correct
> information.

Does your actual zone file have the DNSSEC records in it? That's where
mine are. I don't have a separate unsigned zone file.

> Is the original random key that was generated at the time of signing
> kept somewhere? NSEC3 seems to contain a 16 character hex sting that
> recurs throughout the file.

I believe so. Do you have a "managed-keys-directory" entry in your
named.conf file? (I do. My .key and .private files are in the
specified directory.)

[@lbutlr]

On 21 Feb 2019, at 20:43, Grant Taylor via bind-users <bind-...@lists.isc.org> wrote:
>
> On 2/21/19 6:28 PM, @lbutlr wrote:
>> rndc reload did not recreate (or at least update the time stamp) on the .signed file.
>
> Hum. Maybe it's something different about how you're doing DNSSEC than I am.
>
> I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I don't get .signed files.

the .signed files were created when I first signed the zones with dnssec-signzone which is what gave me the dsset file containing the information I needed to add DNSSEC to my domain's registrar.

dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N INCREMENT -o ZONE -t ZONEFILE

I was assuming, perhaps wrongly, that these ,signed files continue to be required, as they were placed alongside the regular zone files.

> I was just able to do the following:
>
> rndc freeze $ZONE
> rndc sync -clean $ZONE
> $EDITOR $ZONEFILE
> rndc thaw $ZONE
> rndc sign $ZONE
>
> I did have to manually do the "rndc sign" for DNSViz to be happy with the new test entry. I don't know if that's expected or not.

Overnight, many of my zones have new zone.signed.jnl files

> Does your actual zone file have the DNSSEC records in it? That's where mine are. I don't have a separate unsigned zone file.

I have three files for each zone:

example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at the end for the two public keys.

example.com.signed (12K, All the DNSSEC info)

example.com.signed.jnl (Created by bind, about double the size of .signed and a binary file) This file is updated when I issue the rind sign ZONE command.

> I believe so. Do you have a "managed-keys-directory" entry in your named.conf file? (I do. My .key and .private files are in the specified directory.)

My private files are in that directory, I have the public ones in both the directory and the master/ directory Which is what seems to be needed (probably because of the include statement).

In named.conf I have

zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; };

--
"Alas, earwax."

[Tony Finch]

Grant Taylor via bind-users <bind-...@lists.isc.org> wrote:
>

> I'm sorry. I gave you the wrong command. You want "sync", not "flush".

You don't need to sync as well as freeze: `rndc freeze` also syncs the zone.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Faeroes, Southeast Iceland: Southerly, veering southwesterly, 7 to severe gale
9, perhaps storm 10 later in Southeast Iceland. Very rough or high. Rain.
Moderate, occasionally poor.

[Tony Finch]

@lbutlr <kre...@kreme.com> wrote:
>
> Nope, now the .signed file isn’t touched at all after the zone file is edited.
>

> zone "example.com" {
> type master;
> file "master/example.com.signed";
> update-policy local;
> auto-dnssec maintain;
> };

It sounds to me like you are expecting it to work in inline-signing mode,
but you have not configured it that way. With the configuration above,
`named` will never read or write to the unsigned zone.

You might want a config like

zone "example.com" {
type master;
file "master/example.com";
update-policy local;
auto-dnssec maintain;
inline-signing yes;
};

Alternatively, with your current config you can update the zone using
https://dotat.at/prog/nsdiff/ like this:

nsdiff example.com master/example.com | nsupdate -l

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/

Portland, Plymouth, Biscay, East Fitzroy: Southeasterly 4 or 5, occasionally 6
in Plymouth and Fitzroy, becoming variable 3 or 4 later. Moderate or rough,
occasionally very rough except in Portland. Fair, but rain in Fitzroy. Good,
occasionally poor.

[@lbutlr]

On 22 Feb 2019, at 09:54, Tony Finch <d...@dotat.at> wrote:
> You might want a config like
>
> zone "example.com" {
> type master;

> file "master/example.com”;

Not example.com.signed?

> update-policy local;
> auto-dnssec maintain;
> inline-signing yes;
> };
>
> Alternatively, with your current config you can update the zone using
> https://dotat.at/prog/nsdiff/ like this:
>
> nsdiff example.com master/example.com | nsupdate -l

Where the second one of those is my example.com.signed file?

Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12

--
Well boys, we got three engines out, we got more holes in us than a
horse trader's mule, the radio is gone and we're leaking fuel and if we
was flying any lower why we'd need sleigh bells on this thing... but we
got one little budge on those Roosskies. At this height why they might
harpoon us but they dang sure ain't gonna spot us on no radar screen!

[Tony Finch]

@lbutlr via bind-users <bind-...@lists.isc.org> wrote:
> On 22 Feb 2019, at 09:54, Tony Finch <d...@dotat.at> wrote:
> > You might want a config like
> >
> > zone "example.com" {
> > type master;
> > file "master/example.com”;
>
> Not example.com.signed?

No, in inline-signing mode the zone you interact with is the unsigned
version; the signed version belongs entirely to `named` and you don't
touch it.

> > Alternatively, with your current config you can update the zone using
> > https://dotat.at/prog/nsdiff/ like this:
> >
> > nsdiff example.com master/example.com | nsupdate -l
>
> Where the second one of those is my example.com.signed file?

No, the unsigned file, as I said. `nsdiff` works out the differences
between the current live version of example.com (which it fetches by AXFR)
and the new version (on disk in `master/example.com`) and produces a
script for `nsupdate` that will make the live (signed) version match. Your
config says the live version is in `master/example.com.signed`.

It works in a similar way to inline-signing mode, except you have more
control over how changes propagate from the unsigned version to the signed
one.

> Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12

Get it from the link above, if you want :-)

[@lbutlr]

I did try manually updating vi nsupdate -l

> zone example.com
> update add example.com. 86400 IN SOA ns1.example.net. admin.example.com. 2019022200 3600 300 1209600 3600
> update add konamicode.example.com. 86400 IN CNAME www.example.com.
> send
; Communication with ::1#53 failed: timed out
update failed: FORMERR

Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to setup named.conf to listen on ::1?

Also, confusingly, despite the error the zone WAS updated.

--
There used to be such simple directions, back in the days before they
invented parallel universes - Up and Down, Right and Left, Backward and
Forward, Past and Future... But normal directions don't work in the
multiverse, which has far too many dimensions for anyone to find their
way. So new ones have to be invented so that the way can be found. Like:
East of the Sun, West of the Moon Or: Behind the North Wind. Or: At the
Back of Beyond. Or: There and Back Again. Or: Beyond the Fields We
Know. --Lords and Ladies

[@lbutlr]

On 22 Feb 2019, at 12:12, Tony Finch <d...@dotat.at> wrote:
> Get it from the link above, if you want :-)

Doh!

OK, got it, installed it, changed the path to perl, and that’s pretty slick.

--
"I don't think the kind of friends I'd have would care.”

[@lbutlr]

On 22 Feb 2019, at 12:28, @lbutlr <kre...@kreme.com> wrote:
> ; Communication with ::1#53 failed: timed out

I am still getting this error whenever I try to make a change in the zone with nsupdate -l, should I not worry about it?

I mean, the records appear to be updating… 🤷🏼‍♀️

--
First we must assume a spherical cow.

[Mark Andrews]

On IPv6 why wouldn’t you support it? The world ran out of IPv4 addresses years ago and IPv4 is only limping along now due to ISPs spending big money to put in CGN boxes which you are paying for.

Turning on IPv6 reduces the required size of these CGN boxes with on average 70% of residential traffic switching to it. This in turn reduces costs.

Named will already be using IPv6 for queries it is making as that is enabled by default.
--
Mark Andrews

> On 23 Feb 2019, at 06:28, @lbutlr <kre...@kreme.com> wrote:
>
> I did try manually updating vi nsupdate -l
>
>> zone example.com
>> update add example.com. 86400 IN SOA ns1.example.net. admin.example.com. 2019022200 3600 300 1209600 3600
>> update add konamicode.example.com. 86400 IN CNAME www.example.com.
>> send

> ; Communication with ::1#53 failed: timed out

> update failed: FORMERR
>
> Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to setup named.conf to listen on ::1?
>
> Also, confusingly, despite the error the zone WAS updated.
>
> --
> There used to be such simple directions, back in the days before they
> invented parallel universes - Up and Down, Right and Left, Backward and
> Forward, Past and Future... But normal directions don't work in the
> multiverse, which has far too many dimensions for anyone to find their
> way. So new ones have to be invented so that the way can be found. Like:
> East of the Sun, West of the Moon Or: Behind the North Wind. Or: At the
> Back of Beyond. Or: There and Back Again. Or: Beyond the Fields We
> Know. --Lords and Ladies
>
>
>
>

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

[@lbutlr]

On 23 Feb 2019, at 14:45, Mark Andrews <ma...@isc.org> wrote:
> On IPv6 why wouldn’t you support it?

Our ISP does not support it. We get 5 static IPv4 addresses and no IPv6 at all.

--
Critics look at actresses one of two ways: you're either bankable or
boinkable.

[Noel Butler]

On 23/02/2019 05:28, @lbutlr wrote:

I did try manually updating vi nsupdate -l

zone example.com
update add example.com. 86400 IN SOA      ns1.example.net. admin.example.com. 2019022200 3600 300 1209600 3600
update add konamicode.example.com. 86400 IN CNAME       www.example.com.
send

; Communication with ::1#53 failed: timed out
update failed: FORMERR

Why is it defaulting to IPv6? This system is not setup for IPv6. Do I have to setup named.conf to listen on ::1?

Obviously your machine *is* setup for IPv6,  it's just not configured, named sees the capability, so tries it.

I bet ifconfig shows it,   below is an example from this pc which does not use IPv6...

lo:
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>

probably eth0 does as well

eth0:
  inet6 fe80::e2cb:4eff:feda:9842 prefixlen 64 scopeid 0x20<link>

You might also want to read up on  gai.conf  and set some precedence's, I dont use it, but on slackware I dont have the problems you have, it might help - I recall having to use it well over 10 years ago on a few centos servers we inherited at the time.