Debug logging for auto-dnssec inline signing

Tony Finch dot at dotat.at
Mon Nov 11 12:45:16 UTC 2019


Matthew Richardson <matthew-l at itconsult.co.uk> wrote:

> What "category" should one be logging in order to get details of DNSSEC
> inline signing when running Bind 9.8.11?

I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has
been unsupported for ages.

Yes, there is not very much logging automatic zone signing. I think that
has been improved a bit in 9.15 but I haven't looked at it in detail.

> I have an authoratitive master server with a number of domains set with:-
>
>     inline-signing yes;
>     auto-dnssec maintain;
>
> and have a suspicion that Bind has simply stopped re-signing most of them.

There have been some bugs in this area which were fixed in 9.13.3 and that
don't appear in the 9.11 branch - but I don't know if the fixes are
relevant to 9.11.

See changes 5015, 5014, 5004
https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Shetland Isles: East 5 to 7, backing northeast 6 to gale 8. Moderate or rough,
becoming rough or very rough later, occasionally high in west. Rain or
showers. Moderate or good, occasionally poor.


More information about the bind-users mailing list