Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)

Tony Finch dot at
Thu Mar 27 12:05:09 UTC 2014

Daniel Ryslink <daniel.ryslink at> wrote:
> At first, when the zone was not signed at all, all that sufficed was to
> do "rndc loadkeys", and when I later used "rndc signing
> -list", the keys set via
> dnssec-settime as active in the keys directory were displayed.

Note that `rndc signing -list` possibly does not do what you expect: it
tells you about named's progress with incremental signing, which is
possibly important for large zones, but for small ones it is so quick it's
almost impossible to catch it while signing is in progress. It is a user
interface for the TYPE65534 records that named uses to save this

After a zone has been signed, there is no need for the TYPE65534 records
and `rndc signing -list` does not have anything informative to say.

What you probably want instead is `rndc zonestatus` except that feature
was added in 9.10...

> Now, the system reverted into a state where rndc signing -list
> states that no signing records were found.

That is normal if you have run `rndc signing -clear`.

> However, when I export the new zone file into master/, it is
> no longer signed automatically as before.

Did you tell it to reload the zone?

> Also. named.log for bind displays curiously frequent key events:
> Why a key event every five minutes, when TTL of the records is 6 hours?

Have you set dnssec-loadkeys-interval ?

f.anthony.n.finch  <dot at>
Irish Sea: Southeasterly backing northeasterly 5 or 6, occasionally 7 in
north, decreasing 4 at times in south. Moderate in west, slight or moderate in
east. Rain or showers. Good, occasionally poor.

More information about the bind-users mailing list