bind makes RRSIG disappear?
Gilles Massen
gilles.massen at restena.lu
Mon Feb 7 07:29:39 UTC 2011
Mark,
On 02/06/2011 10:41 PM, Mark Andrews wrote:
> Mark Andrews writes:
>>
>>>
>>>> Does your configuration also have an "allow-update" setting
>>>> (other than "none") for it, maybe only for the instance that
>>>> is giving you trouble? In that case BIND will take it that you
>>>> want it to do resigning as the RRSIGs approach expiry.
>>>
>>> The only allow-update is in the options section, and none.
>>
>> Get rid of the allow-update and allow the default of no acl to work.
>
> The test that decides that the zone may need to be re-signed doesn't
> take the "none;" acl into account. Currently it is
> "if (acl != NULL || ssu != NULL)" and should become
> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
Thanks, this works indeed.
This raises a few questions, as I'd really like to understand bind's
behavior:
- is there any description of exactly how/when Bind assumes signing
authority over a zone? Or simply where some kind of zone-manipulating
intelligence kicks in?
- is it possible to disable this kind of intelligence (possibly at
compile time)?
- if not: a config switch (or compile-time option) would really be
appreciated. The zone option "auto-dnssec off;" did not prevent bind
from trying to sign the zone.
Best,
Gilles
--
Fondation RESTENA - DNS-LU
More information about the bind-users
mailing list