bind makes RRSIG disappear?

Gilles Massen gilles.massen at
Mon Feb 7 07:29:39 UTC 2011


On 02/06/2011 10:41 PM, Mark Andrews wrote:
> Mark Andrews writes:
>>>> Does your configuration also have an "allow-update" setting
>>>> (other than "none") for it, maybe only for the instance that
>>>> is giving you trouble? In that case BIND will take it that you
>>>> want it to do resigning as the RRSIGs approach expiry.
>>> The only allow-update is in the options section, and none.
>> Get rid of the allow-update and allow the default of no acl to work.
> The test that decides that the zone may need to be re-signed doesn't
> take the "none;" acl into account.  Currently it is
> "if (acl != NULL || ssu != NULL)" and should become
> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".

Thanks, this works indeed.

This raises a few questions, as I'd really like to understand bind's

- is there any description of exactly how/when Bind assumes signing
authority over a zone? Or simply where some kind of zone-manipulating
intelligence kicks in?

- is it possible to disable this kind of intelligence (possibly at
compile time)?

- if not: a config switch (or compile-time option) would really be
appreciated. The zone option "auto-dnssec off;" did not prevent bind
from trying to sign the zone.


Fondation RESTENA - DNS-LU

More information about the bind-users mailing list