bind makes RRSIG disappear?

Cathy Almond cathya at
Mon Feb 7 10:46:14 UTC 2011

Hi Gilles,

You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds "none" instead of being empty.

There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120).  It is currently under

Many thanks for bringing this to our attention.


On 07/02/11 07:29, Gilles Massen wrote:
> Mark,
> On 02/06/2011 10:41 PM, Mark Andrews wrote:
>> Mark Andrews writes:
>>>>> Does your configuration also have an "allow-update" setting
>>>>> (other than "none") for it, maybe only for the instance that
>>>>> is giving you trouble? In that case BIND will take it that you
>>>>> want it to do resigning as the RRSIGs approach expiry.
>>>> The only allow-update is in the options section, and none.
>>> Get rid of the allow-update and allow the default of no acl to work.
>> The test that decides that the zone may need to be re-signed doesn't
>> take the "none;" acl into account.  Currently it is
>> "if (acl != NULL || ssu != NULL)" and should become
>> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
> Thanks, this works indeed.
> This raises a few questions, as I'd really like to understand bind's
> behavior:
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.
> Best,
> Gilles

More information about the bind-users mailing list