BIND 9.16, must stop named, delete .jnl files for signed zones to be updated
Summary
For a signed zone to be updated I have to stop named, delete all the "." files, update the serial number and then start named again. If I do a normal update, just update the serial number and then run "rndc reload", I got this error message "29-May-2021 13:54:52.008 general: error: zone ******.se/IN (signed): receive_secure_serial: unchanged", and the zone don't update. I have had this issue in previous versions also, now I run 9.16.16.
BIND version used
BIND 9.16.16 (Stable Release) <id:0c314d8>
running on Linux x86_64 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021
built by make with '--prefix=/service/dns/bind-9.16.16' '--sysconfdir=/data/dns/named' '--localstatedir=/var' '--with-openssl=/service/dns/openssl' 'LDFLAGS=-ldl'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
compiled with libuv version: 1.23.1
linked to libuv version: 1.23.1
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /data/dns/named/named.conf
rndc configuration: /data/dns/named/rndc.conf
DNSSEC root key: /data/dns/named/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
Steps to reproduce
Update the serial number for signed zone och then do a "rndc reload"
What is the current bug behavior?
The zone doesn't update
What is the expected correct behavior?
The zone should be updated after I have changed the serial number
Relevant configuration files
I use a manually policy for signed zones, "dnssec-policy modified;"
dnssec-policy "modified" {
keys {
csk lifetime unlimited algorithm rsasha256 2048;
};
};
Relevant logs and/or screenshots
"29-May-2021 13:54:52.008 general: error: zone ******.se/IN (signed): receive_secure_serial: unchanged"
Possible fixes
The workaround is to stop named, delete all "." files (.jbk, .jnl, .signed, .signed.jnl), update the serial number, start named again.