Automatic DNSSEC signing workflow

Tony Finch dot at
Mon Jul 4 14:38:51 UTC 2016

dramaley <daniel.ramaley at> wrote:

> Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> trying to figure out a workflow for doing DNS updates with auto-dnssec
> turned on. When I have to update a zone file, I do so by editing the zone
> file and incrementing the serial number, then restarting Bind.
> Unfortunately, Bind doesn't pick up the changes.

Does it work better if you run `rndc reload` or equivalent (e.g. service
bind reload)?

> I suspect the reason is because with automatic signing, Bind increments
> the serial number on its own in the .signed version of the zone, and
> that the signed zone file will already have a higher serial than the
> file i had just edited.

With an inline-signing zone, named maintains two versions of the zone with
separate serial numbers. If you have correctly updated the serial number
on the unsigned version it should work, regardless of the signed serial

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Shannon, South Rockall: Cyclonic 5 to 7, becoming variable, mainly westerly, 3
or 4. Moderate, occasionally rough at first. Showers later. Moderate or good.

More information about the bind-users mailing list