Bind 9.9.0B1 Inline-Signing Question

McConville, Kevin kmcconville at
Thu Nov 17 16:55:15 UTC 2011

First off, Thank you to all who responded/helped in my previous post - this list is a wonderful community. The inline-signing is now working...sort of.

We edit the static zone, adding a resource record (of any type), increment the serial, and then do a rndc reload. However, Bind is still looking at the previous dnssec signed file - it's not picking up the new records.
Another strange thing is that using the auto-dnssec maintain option, it is still creating a journal file -

-rw-rw-r-- 1 named root   2250 Nov 17 11:29
-rw------- 1 named named  9969 Nov 16 12:04
-rw------- 1 named named 13095 Nov 16 11:52

Doing an rndc stop, removing the signed and signed.jnl files, the new resource records are picked up when named is restarted. But, that defeats the point of inline-signing.

Below is info from our named.conf and our log file (we are using it a chroot and is being run as user named):

options {
        directory       "/conf";
        pid-file        "/var/run/";
        statistics-file "/var/run/named.stats";
        dump-file       "/var/run/named.db";
        version         "[secured]";
        dnssec-enable yes;
        sig-validity-interval 10;
        dnssec-loadkeys-interval 10;
        empty-zones-enable no;

zone "" {
     type master;
     file "";
     auto-dnssec maintain;
     inline-signing yes;
     key-directory "/conf";
     serial-update-method increment;
17-Nov-2011 11:29:56.865 general: info: received control channel command 'reload'
17-Nov-2011 11:29:56.865 general: info: loading configuration from '/etc/named.conf'
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv4 port range: [1024, 65535]
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv6 port range: [1024, 65535]
17-Nov-2011 11:29:56.867 general: info: sizing zone task pool based on 4 zones
17-Nov-2011 11:29:56.869 general: info: zone (signed): (master) removed
17-Nov-2011 11:29:56.869 general: info: reloading configuration succeeded
17-Nov-2011 11:29:56.869 general: info: reloading zones succeeded
17-Nov-2011 11:29:56.871 general: info: zone (unsigned): loaded serial 2011111701
17-Nov-2011 11:29:56.871 general: info: zone (signed): loaded serial 2011111507 (DNSSEC signed)
17-Nov-2011 11:29:56.871 general: notice: all zones loaded
17-Nov-2011 11:29:56.871 general: notice: running
17-Nov-2011 11:29:56.871 general: info: zone (signed): reconfiguring zone keys
17-Nov-2011 11:29:56.872 general: info: zone (signed): next key event: 17-Nov-2011 11:39:56.872
17-Nov-2011 11:29:56.872 notify: info: zone (signed): sending notifies (serial 2011111507)

I'm probably missing something, but this list has really been very helpful. Any ideas or suggestions  are greatly appreciated.



Kevin McConville

University at Albany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list