Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)

Tony Finch dot at dotat.at
Thu Mar 27 12:05:09 UTC 2014


Daniel Ryslink <daniel.ryslink at dialtelecom.cz> wrote:
>
> At first, when the zone was not signed at all, all that sufficed was to
> do "rndc loadkeys example.com", and when I later used "rndc signing
> -list example.com", the keys set via
> dnssec-settime as active in the keys directory were displayed.

Note that `rndc signing -list` possibly does not do what you expect: it
tells you about named's progress with incremental signing, which is
possibly important for large zones, but for small ones it is so quick it's
almost impossible to catch it while signing is in progress. It is a user
interface for the TYPE65534 records that named uses to save this
information.

After a zone has been signed, there is no need for the TYPE65534 records
and `rndc signing -list` does not have anything informative to say.

What you probably want instead is `rndc zonestatus` except that feature
was added in 9.10...

> Now, the system reverted into a state where rndc signing -list
> example.com states that no signing records were found.

That is normal if you have run `rndc signing -clear`.

> However, when I export the new zone file into master/example.com, it is
> no longer signed automatically as before.

Did you tell it to reload the zone?

> Also. named.log for bind displays curiously frequent key events:
> Why a key event every five minutes, when TTL of the records is 6 hours?

Have you set dnssec-loadkeys-interval ?

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea: Southeasterly backing northeasterly 5 or 6, occasionally 7 in
north, decreasing 4 at times in south. Moderate in west, slight or moderate in
east. Rain or showers. Good, occasionally poor.


More information about the bind-users mailing list