Automatic DNSSEC signing workflow

Daniel A. Ramaley daniel.ramaley at
Tue Jul 5 14:02:00 UTC 2016

On 2016-07-04 at 15:44:32 Tony Finch <dot at> wrote:
> In most cases it is best to either use `nsupdate` exclusively, or
> directly edit the master file, but not a mixture of the two. If you
> are using `nsupdate` then there is no need for inline-signing.

>From the responses i received, it seems i completely misunderstood how 
automatic signing is supposed to work. If i'm now understanding 
correctly, there are 2 mutually exclusive ways to do things:
  1) Maintain zone files with a text editor, and sign them manually.
  2) Maintain zones with nsupdate, and let Bind sign them.

It seems i was mixing the two and not getting the results i expected. 
I'll talk it over with our network administrators (they do most of our 
DNS updates) and see which way they'd prefer to maintain zones, and then 
provide appropriate instructions.

Thanks everyone for clearing up my confusion!

P.S.: Cool e-mail address. I first heard of dot at some years 
ago when a friend found out about it randomly. I never expected to 
communicate with the owner of that address though!

Daniel A. Ramaley  |  Server Engineer 2
Information Technology Services (ITS) | Drake University

T: +1 (515) 271-4540
F: +1 (515) 271-1938
E: daniel.ramaley at

More information about the bind-users mailing list