Automatic DNSSEC signing workflow

Bob Harold rharolde at
Fri Jul 1 20:58:40 UTC 2016

On Fri, Jul 1, 2016 at 2:13 PM, dramaley <daniel.ramaley at> wrote:

> Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> trying to figure out a workflow for doing DNS updates with auto-dnssec
> turned on. When I have to update a zone file, I do so by editing the zone
> file and incrementing the serial number, then restarting Bind.
> Unfortunately, Bind doesn't pick up the changes. I suspect the reason is
> because with automatic signing, Bind increments the serial number on its
> own
> in the .signed version of the zone, and that the signed zone file will
> already have a higher serial than the file i had just edited. Is there a
> better workflow for doing DNS updates? Or would it be easier just to turn
> off auto-dnssec and go back to manually signing my zones?
> My zone file configuration looks like this:
>     zone "" {
>         type master;
>         file "external/";
>         auto-dnssec maintain;
>         inline-signing yes;
>         update-policy local;
>         key-directory "/etc/named/keys";
>     };
> Thanks in advance!
> --
> View this message in context:
> Sent from the Bind-Users forum mailing list archive at
I am not using DNSSEC yet, but I would say try updating using nsupdate
instead of editing the file.

Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list