Bind9 forward/reverse zones with multiple TSIG keys

Grant Taylor gtaylor at
Fri Feb 1 20:18:25 UTC 2019

On 02/01/2019 08:31 AM, ObNox wrote:
> Sorry for the late replies, I'm drowning with all the stuff I have to do 
> and getting late on every project.

It's all good.

Thank you for the follow up.

> I always use this method. It's way slower but I end up having a better 
> understanding at each component and I know why it works (instead of 
> being surprised it works :))


> Indeed you nailed it! The minute I activate the "allow-update { key XXX; 
> };" statement, "rndc reload" does not reload the zones even if the 
> contents were updated the proper way.
> I have to "freeze" + "thaw" to see them properly (re)loaded!


> The journal data, at this point must be memory-only because no journal 
> file is written upon "rndc reload" after the dynamic updates transition.


Maybe I have different settings or a different version which causes the 
journal files to be created.  Or maybe I've not looked quick enough to 
see the time when they don't exist.

But in the end, it works for you.

> I'll be using nsupdate only in the future but you know, the "test each 
> component first" strategy bites you in the ass. In this case, it looked 
> like some bug was triggered where in reality, there was nothing...


nsupdate with keys from remote systems is entertaining too.

I've often wondered about creating a web based management system that 
used dynamic updates via keys.  I just never needed to go there.

> Good catch, Bind did what you were thinking, you wizard :)

I question the wizard bit.  I have been tripped up by that.  I've got 
the scars to prove it.

> I don't need luck, I need people who know! And that's what I had, so 
> thank you :)

You're welcome.  I'm glad that things are working the way that you want.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list