rndc signing -list not working?a

Evan Hunt each at isc.org
Mon Feb 22 16:17:04 UTC 2016

On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote:
> rndc signing -list adi.com in external
> I get 'No signing records found'
> Note that we use views and view external is what the world sees. I expected
> that the rndc signing command would show that the zone is signed.

When a zone is being signed by named, it stores temporary records at the
zone apex (RR type TYPE65534) to indicate the current state of the
signing process, so that if there's a power failure in the middle, named
will be able to resume. Those are the "signing records" referred to here.

At the end of the process there's a record left behind for each DNSKEY,
indicating that signing is complete for that key.  At that point you can
use "rndc signing -clear" to remove them if you want to (though personally
I just leave them).

Since those records aren't there now, I would guess you either already
cleared them at some point, or else some other signing mechanism was
used such as dnssec-signzone instead of the automatic signing in named.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list