Bind ignoring signing -nsec3param when inline-signing a zone

Klaus Darilion klaus.mailinglists at
Thu Jun 5 12:02:53 UTC 2014


Today I managed that Bind 9.9.5 created a signed zone with all RRs
signed except the SOA. The private RRs showed "finshed signing". Only
after another "rndc loadkeys" also the SOA was signed.

Unfortunately I can not reproduce the problem, but I suspect it may be
related to the order how I add the zone for signing to Bind, as up to
now I sent lots of rndc commands to Bind.

Therefore I simplified my provision to only:

1. Create the keys

2. Add the zone to Bind via rndc:

zone "" {
  type slave;
  file "/etc/bind/zones/p/";
  masters {; };
  key-directory "/etc/bind/keys/p/";
  auto-dnssec maintain;
  inline-signing yes;

Is it safe to consider that this will start the incoming zone transfer
and signing (without the need for an "rndc sign" command)?

3. Configure NSEC3:
rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508

The problem is, that the nsec3param command is received by Bind but
ignored: as you can see there is no zone_addnsec3chain() logging:

11:47:53: received control channel command 'addzone {...}'
11:47:53: zone added to view _default via addzone
11:47:53: received control channel command 'signing -nsec3param 1 0 10
11:47:53: zone (unsigned): Transfer started.
11:47:53: transfer of ' (unsigned)' from
connected using
11:47:53: zone (unsigned): transferred serial 85
11:47:53: transfer of ' (unsigned)' from
Transfer completed: 1 messages, 78 records, 2007 bytes, 0.033 secs
(60818 bytes/sec)
11:47:53: zone (signed): loaded serial 85
11:47:53: zone (signed): receive_secure_serial: unchanged
11:47:53: zone (signed): receive_secure_serial: unchanged
11:47:53: zone (signed): sending notifies (serial 85)
11:47:53: zone (signed): reconfiguring zone keys
11:47:53: zone (signed): next key event: 05-Jun-2014

# rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508
request queued

11:48:23: received control channel command 'signing -nsec3param 1 0 10
11:48:23: zone (signed):
11:48:23: zone (signed): sending notifies (serial 106)

As you see, only after the second "rndc signing -nsec3param" command
Bind switched to NSEC3. I think this is due to the nsec3 command is sent
immediately after the "add zone" command.

So, is this a bug in Bind or do I have to provision Bind different?

Another question: is it possible to instruct Bind to use NSEC3 from the
beginning? I read this can be done with dynamic updates, but in my setup
with inline-signing I suspect this is not possible.


More information about the bind-users mailing list