Automatic RRSIG Refresh in BIND 9.8.2

Tony Finch dot at
Wed Jun 14 18:56:51 UTC 2017

Latitude <arlendelcastillo at> wrote:
> I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer
> can automatically sign zones and refresh signatures (RRSIGs), but older
> versions cannot (p. 53).

That isn't entirely correct: BIND has had automatic signing since 9.7
(if I remember correctly - it has been a long time). You just need to
set `auto-dnssec maintain;` and (for simple cases) `update-policy local;`.
See section 4.9.3 on page 26 of

Also see my blog about DNSSEC in BIND 9.8 from 6 years ago (thanks Red Hat
for keeping such ancient relics relevant for so long)

What was new in 9.9 was inline-signing mode. Shameless plug: you can get
something very like inline-signing mode for antediluvian versions of BIND
using my `nsdiff` program

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Humber, Thames: East or southeast, veering southwest later, 4 or 5,
occasionally 6 later in Thames. Smooth or slight, occasionally moderate later
in Thames. Fair. Good.

More information about the bind-users mailing list