Automatic DNSSEC signing workflow

Daniel A. Ramaley daniel.ramaley at
Tue Jul 5 15:14:18 UTC 2016

On 2016-07-05 at 15:26:31 Tony Finch wrote:
> There is a third option:
> 3) Maintain zone files with a text editor, and use inline-signing mode
> to get named to sign them.
> For option 3 you don't want an update-policy clause.

OK, that's actually the behavior that i was trying to achieve. Earlier i 
tried commenting out the update-policy line and doing some testing and 
it didn't work. But then i discovered a permissions problem on some of 
the key files. Once i fixed the key files permissions, Bind started 
behaving exactly the way i'd like it to!

Thanks again for the help! I've done enough testing now that i'm 
reasonably confident Bind is behaving the way we want it to, where we 
can maintain the zone files with a text editor, but let Bind manage the 

Daniel A. Ramaley  |  Server Engineer 2
Information Technology Services (ITS) | Drake University

T: +1 (515) 271-4540
F: +1 (515) 271-1938
E: daniel.ramaley at

More information about the bind-users mailing list