session.key and managed-keys

Chris Thompson cet1 at
Mon Jul 11 16:13:06 UTC 2011

On Jul 10 2011, Emil Natan wrote:

>I have few boxes running BIND 9.7.3-P3. I do not use DNSSEC (for now) and
>dynamic updates (at all) and I have them explicitly disabled in named.conf
>(dnssec-enable   no; dnssec-validation no; allow-update    { none; };) but I
>see named still searching for managed-keys.bind file and trying to create
>session.key file. In the general case it fails with file not found and
>permission denied which I know how to correct. My question is why BIND is
>forced to create files and especially the session.key? Is there a way to
>change that behavior?

The two cases are different. If you don't have any managed keys then BIND
doesn't need managed-keys.bind, and it's a bit annoying it goes on about
it. You can chase the messages away by making it an empty file in BIND's
working directory, or rather better one containing

=== cut ===
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                0          ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
=== cut ===

which correctly represents the state of no managed keys.

The session.key file isn't to do with DNSSEC, but with signing update
requests, using "update-policy local;" and "nsupdate -l" (see the ARM
for details). BIND always writes a new session key at startup whether
it's going to be used or not. If you don't want it, and it is trying to
write it somwehere it can't, specify an alternative writable location
(e.g. in BIND's working directory) with "session-keyfile" in "options",
and then forget about it.

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list