OT: Bind 9.9.0B1 Inline-Signing Question

Adam Tkac atkac at redhat.com
Fri Nov 11 10:24:53 UTC 2011

On 11/10/2011 11:16 PM, Evan Hunt wrote:
>> I know that this isn't the forum for betas
> Sure it is. :)
>> We have been testing with the alphas and now with the beta. What we are
>> seeing is that whenever named starts, it initially creates the signed
>> static zone file, but never really finishes.
> What do you mean by "never really finishes"?
> What are the options that are set for the static zone?  You should have
> these:
>         auto-dnssec maintain;
>         inline-signing yes;
>         key-directory "<dir>";
> ...with <dir> set to the location of the DNSSEC signing keys for your
> zone, including at least one KSK and one ZSK, both of which are set to
> be published and active.
Ah, this was missing bit in my configuration, thanks for it :)

I have just one question, what should inline-zone admin do? I assume
that named automatically regenerates & removes expired RRSIGs so is it
sufficient to put new KSK and ZSK to the key-directory when needed and
revoke older ones? Thanks for your answer in advance.

Regards, Adam

More information about the bind-users mailing list