bind makes RRSIG disappear?

Gilles Massen gilles.massen at
Sun Feb 6 19:37:22 UTC 2011


thanks for the hint, but:

On 6/2/11 19:20 , Chris Thompson wrote:
> On Feb 6 2011, Gilles Massen wrote:
>> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
>> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
>> out of the blue, Bind decides to claim some authority over the zone:
>> the SOA RRSIG (only that one) is scrapped, and this is logged:


> Presumably you are defining the zone to BIND as "type master".


> Does your configuration also have an "allow-update" setting
> (other than "none") for it, maybe only for the instance that
> is giving you trouble? In that case BIND will take it that you
> want it to do resigning as the RRSIGs approach expiry.

The only allow-update is in the options section, and none.

BTW, the config has not changed in months, only the zone got only 
signed. Besides, at least the SOA RRSIG is pretty recent. Other 
signatures that disappear are still 7 days from expiry.


More information about the bind-users mailing list