OT: Bind 9.9.0B1 Inline-Signing Question

Evan Hunt each at isc.org
Fri Nov 11 17:47:32 UTC 2011

> I have just one question, what should inline-zone admin do? I assume
> that named automatically regenerates & removes expired RRSIGs so is it
> sufficient to put new KSK and ZSK to the key-directory when needed and
> revoke older ones? Thanks for your answer in advance.

Yes, it will keep RRSIGs refreshed (same as it does now with dynamic
zones).  Rolling keys is the same process as now; you generate a successor
key (dnssec-keygen -S) and run "rndc loadkeys <zone>" to signal the server
that there's a new key.

I should mention that there is a known operational issue in the current
version of inline-signing that you should be cautious about.  If you're
using inline-signing with a master zone, and you make changes to the zone
file, you should *not* kill and restart your server to load the new file.
Instead, use "rndc reload" or "kill -HUP <pid>" to force named to reload
the zone while it's running.  That way, named will be able to compare the
former version against the new one, and generate the proper set of diffs to
apply to the signed zone.

If you kill and restart your server to load changes to your zone, then the
signed version of the zone will fall out of sync with the raw version, and
some of your data will not be accessible to queries.  There's no way to
recover from this condition except to delete the signed zone and start
over, which generates big transfers to slaves and is generally undesirable.

We'll have a fix for this in a future release.  It's not a problem when
using inline-signing on slave zones; slaves load their data via zone
transfer, not from files, so this issue doesn't affect them at all.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list