I have a master BIND9 (v9.10.3) properly serving several signed zones (verified with dnsviz, etc.)
I have not been able to find in any documentation a proper way to reload and resign a static zone file. (my zones are not dynamic). To get updated zones to serve reliably I have had to stop bind, delete the .signed, .signed.jnl and .jbk files, update/replace the zone master file, then restart. Not good, but nothing else I tried worked.
Can I update the zone master then execute (which?) rndc command to reload and resign the zone? And would there be a delay on the results of that operation?
Is there any online DNSSEC BIND admin that you've found helpful?
I have a good number bookmarked but none seemed to address this basic operation, or else I missed it. Thanks!
Best Answer
When updating the unsigned zone file, be sure to increase the serial number. Depending on your setup (i.e., if using
serial-update-method) BIND generates new serials on its e.g. when adding NSEC3 RRs. So, it might not be enough to just increase the serial by one, however, you can look it up easily using dig:After updating your zone file, issue a reload:
Edit:
For dynamic zones, issue a
before editing the unsigned zone file, and continue accepting dynamic updates afterwards: