rndc signing -list not working?a
Evan Hunt
each at isc.org
Mon Feb 22 16:17:04 UTC 2016
On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote:
> rndc signing -list adi.com in external
>
> I get 'No signing records found'
>
> Note that we use views and view external is what the world sees. I expected
> that the rndc signing command would show that the zone is signed.
When a zone is being signed by named, it stores temporary records at the
zone apex (RR type TYPE65534) to indicate the current state of the
signing process, so that if there's a power failure in the middle, named
will be able to resume. Those are the "signing records" referred to here.
At the end of the process there's a record left behind for each DNSKEY,
indicating that signing is complete for that key. At that point you can
use "rndc signing -clear" to remove them if you want to (though personally
I just leave them).
Since those records aren't there now, I would guess you either already
cleared them at some point, or else some other signing mechanism was
used such as dnssec-signzone instead of the automatic signing in named.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list