Bind seems to loose track of DNSSEC keys

Maurice Janssen maurice at z74.net
Mon Oct 7 09:47:00 UTC 2013


Hi,

I've setup a few domains with DNSSEC and ran into a problem. There's not 
much to be found (apart from a similar problem on this list: 
https://lists.isc.org/pipermail/bind-users/2013-January/089416.html) 
therefore I hope somebody here can help me out.

I have a hidden master with a couple of zones, two public authoritative 
slave servers.
The master runs Bind 9.9.2, the slaves run NSD.  All systems are running 
OpenBSD 5.3-stable.  I use "auto-dnssec maintain;" and "inline-signing 
yes;".

I largely followed the instructions on 
https://kb.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html
At first, everything seemed OK.  The zones are signed and pass the test 
at dnsviz.net.  Reloading a zone after changing the unsigned zone file 
works OK.

The problem is that after some time Bind seems to loose track of the 
keys for most of the zones.
At this moment, only one of the zones is OK:

# rndc signing -list z74.nl
Done signing with key 16845/RSASHA256
Done signing with key 37936/RSASHA256

All other zones report:

# rndc signing -list z74.net
No signing records found

I haven't figured out at which moment this happens (after restarting the 
system or Bind, after a zone reload or some other event or at random).  
There's no clue in the log file.

The command "rndc loadkeys <zone>" doesn't help unfortunately.  The only 
work around I found so far is to stop bind, remove the signed zone files 
and journal files and start Bind (which is rather annoying, because you 
can easily end up with out-of-sync SOA records).


BTW: The reason for not running 9.9.4 is that there is only a 9.9.2 
package available for OpenBSD 5.3.  However, on a test system with 
OpenBSD -current and Bind 9.9.4 the problem persists.

I hope somebody can give me a hint how to solve this.

Thanks,
Maurice Janssen


More information about the bind-users mailing list