Bind 9.9.0b2 inline signing...

Spain, Dr. Jeffry A. spainj at
Tue Nov 22 19:34:46 UTC 2011

Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not necessary. It is interesting to note that the serial number in the signed zone gets incremented more than the serial number in the unsigned zone. A dig request for the SOA record returns the serial number from the signed zone.

To allow for this I have the following in my configuration file:

zone "myzone" {
                type master;
                file "/var/lib/bind/myzone/myzone.db";
                key-directory "/var/lib/bind/myzone";
                update-policy local;
                auto-dnssec maintain;
                inline-signing yes;

I'll give it a try with a manual edit and let you know. Jeff.

From: at [ at] On Behalf Of McConville, Kevin
Sent: Tuesday, November 22, 2011 11:58 AM
To: bind-users at
Subject: Bind 9.9.0b2 inline signing...

I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to make sure that I'm not doing anything "wrong" that may be causing the issue.

Has anyone been able to get inline-signing to work on a static master zone using an authoritative server?

When we manually change the Master static zone file - - the signed and signed.jnl files are not getting an update - as shown by the time/date stamps below (just using rndc reload).

-rw-rw-r-- 1 named root   1077 Nov 22 11:22
-rw------- 1 named named  9415 Nov 22 11:14
-rw------- 1 named named 12041 Nov 22 11:02

The log shows the correct serial for the unsigned zone, but then pulls the wrong signed file.
22-Nov-2011 11:25:28.314 general: info: received control channel command 'reload'
22-Nov-2011 11:25:28.314 general: info: loading configuration from '/etc/named.conf'
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range: [1024, 65535]
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range: [1024, 65535]
22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones
22-Nov-2011 11:25:28.318 general: info: zone (signed): (master) removed
22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded
22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded
22-Nov-2011 11:25:28.320 general: info: zone (unsigned): loaded serial 2011112201
22-Nov-2011 11:25:28.320 general: info: zone (signed): loaded serial 2011112114 (DNSSEC signed)
22-Nov-2011 11:25:28.320 general: notice: all zones loaded
22-Nov-2011 11:25:28.320 general: notice: running
22-Nov-2011 11:25:28.320 general: info: zone (signed): reconfiguring zone keys
22-Nov-2011 11:25:28.321 general: info: zone (signed): next key event: 22-Nov-2011 11:35:28.321
22-Nov-2011 11:25:28.321 notify: info: zone (signed): sending notifies (serial 2011112114)

>From Named.conf:

options {
                directory       "/conf";
                pid-file        "/var/run/";
                statistics-file "/var/run/named.stats";
                dump-file       "/var/run/named.db";
                version         "[secured]";
                dnssec-enable yes;
        sig-validity-interval 10;
        dnssec-loadkeys-interval 10;
        empty-zones-enable no;

zone "" {
     type master;
     file "";
     auto-dnssec maintain;
     inline-signing yes;
     key-directory "/conf";
     serial-update-method increment;


Has anyone gotten this to work on an authoritative (meaning that I am missing something) or is it a "real" bug? I just don't want to be claiming it's a "bug" if it's something that I messed up or fat fingered :)

Thanks you all in advance.



Kevin McConville

University at Albany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list