What causes named-checkzone to provide ; resign strings?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

What causes named-checkzone to provide ; resign strings?

Gilbert, Stephen
We have a series of bind9 nameservers (running some 9.9 and some 9.10).  On our slave zones, which are all reading identical slave zone files, one of our servers is running the RedHat default bind 9.9.4-74.  The other servers are running bind compiled directly from isc's source.  When we issue a named-checkzone on any of the ones compiled straight from isc's source, after every RRSIG line, we see a ; resign line that contains the date/time of that resign.  When we issue the same command on RedHat's default, we get all of the same information, minus that line.  I was wondering if anyone could tell me what exactly produces that line.  I see in the bind source code a comment that it is "Only valid if DNS_RDASETATTR_RESIGN is set in attributes."  Where would this be set?  If it's in the attributes of the signed zone file, I would think that it should be there, as when any other server reads the same files the data appears.  Is this some compile time option? Is there a config file somewhere on the Linux server itself that needs to set this?  Really any pointer in the right direction would be appreciated.

Example of the symptom:
first the server running RedHat standard, that does not produce the ; resign line
[root@rutl800p slaves]# named-checkzone -j -f raw -o - myzone.com /var/named/slaves/db.myzone.com.signed
zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed)
myzone.com.      3600 IN SOA rutl601p.mylocaldomain.com. hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600
myzone.com.      3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406 59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf C4QC1bhM+qRIesK0bkCy02KDHR3YVg==
myzone.com.      3600 IN NS ns1.mydomain.com.

Then the other servers that *do* produce it.
[root@rutl801p slaves]# named-checkzone -j -f raw -o - myzone.com /var/named/slaves/db.myzone.com.signed
zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed)
myzone.com.      3600 IN SOA rutl601p.mylocaldomain.com. hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600
myzone.com.      3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406 59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf C4QC1bhM+qRIesK0bkCy02KDHR3YVg==
; resign=20190716190406
myzone.com.      3600 IN NS ns1.mydomain.com.


Stephen Gilbert

Systems Administrator

 

P 704-589-0332

E [hidden email]

W mcclatchy.com

McClatchy Facebook McClatchy Twitter McClatchy LinkedIn



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users