rndc signing -list not working?a
Thomas Schulz
schulz at adi.com
Mon Feb 22 16:53:59 UTC 2016
> On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote:
> > rndc signing -list adi.com in external
> >
> > I get 'No signing records found'
> >
> > Note that we use views and view external is what the world sees. I expected
> > that the rndc signing command would show that the zone is signed.
>
> When a zone is being signed by named, it stores temporary records at the
> zone apex (RR type TYPE65534) to indicate the current state of the
> signing process, so that if there's a power failure in the middle, named
> will be able to resume. Those are the "signing records" referred to here.
>
> At the end of the process there's a record left behind for each DNSKEY,
> indicating that signing is complete for that key. At that point you can
> use "rndc signing -clear" to remove them if you want to (though personally
> I just leave them).
>
> Since those records aren't there now, I would guess you either already
> cleared them at some point, or else some other signing mechanism was
> used such as dnssec-signzone instead of the automatic signing in named.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
We are using automatic signing with the following in named.conf
zone "adi.com" {
type master;
file "adi.com.hosts.ext";
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
};
I don't think that I have ever done a clear, but named has been restarted
since the signing was done. The signing was done over a year ago.
Tom Schulz
Applied Dynamics Intl.
schulz at adi.com
More information about the bind-users
mailing list