Bind 9.9.x inline signing

Mark Elkins mje at
Sun Jun 3 16:01:27 UTC 2012

Eventually got down to some experimenting again.
These are observations - which may help others.

I followed example 1 of Evan Hunts
(I'm using bind 9.9.1)

I did change the name of the zone and didn't bother with
"allow-transfer" - using the default behaviour of BIND instead (using
the NS records in the zone instead)

I first created the zone and got it working as normally between two
machine (on the same lan - etc). This works fine, add a record to the
first zone, bump the SOA Serial, rndc reload, and the slave gets the
update notify.

I then went through the example and added automatic DNSSEC.

The Slave no longer seems to get NOTIFY - I had to stop, remove the
saved slaves file, and restart the slave to force the transfer.

Initially, making a change to the unsigned zone works.
(Edit unsigned, add data, bump SOA by one, save, rndc reload)
Log:  03-Jun-2012 17:23:35.941 general: info: zone
(signed): serial 2012060307 (unsigned 2012060304)

I didn't like the fact that the unsigned serial (which I manage) was
lower than that of the signed zone. Making it bigger than the signed
zones version appears to have gotten the zones back in sync - however
the slave is still not getting any Notifies (and has not yet caught up).
I also expect that in the future, any 'magic bind key-signing' may also
de-sync my unsigned zone's concept of the current SOA Serial as well. 

Its the apparent lack of NOTIFY's thats really bugging me, I did modify
the secondary zone config in named.conf and added
"masterfile-format text;" - which saves the zone in nice, easy to debug,
Is the NOTIFY from 'Inline-signing' zones currently broken?

