Debug logging for auto-dnssec inline signing

Matthew Richardson matthew-l at
Mon Nov 11 17:24:13 UTC 2019

Tony Finch <dot at> wrote:-

>> What "category" should one be logging in order to get details of DNSSEC
>> inline signing when running Bind 9.8.11?
>I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has
>been unsupported for ages.

Correct - I need to practice my proof reading skills :-(

>Yes, there is not very much logging automatic zone signing. I think that
>has been improved a bit in 9.15 but I haven't looked at it in detail.

Hopefully some helpful ISC person will be along shortly with better
particulars of the logging available for automatic signing in both 9.11 &
later releases.

I do seem to recall reading that RIPE chose Knot over Bind for DNS signing
related to the logging.

>> I have an authoratitive master server with a number of domains set with:-
>>     inline-signing yes;
>>     auto-dnssec maintain;
>> and have a suspicion that Bind has simply stopped re-signing most of them.

It turns out that I became nervous one day before I should have.  The zones
in question were re-signed overnight.

>There have been some bugs in this area which were fixed in 9.13.3 and that
>don't appear in the 9.11 branch - but I don't know if the fixes are
>relevant to 9.11.
>See changes 5015, 5014, 5004

Those are indeed interesting, thanks.  Perhaps this suggests that sticking
with the ESV version might be less prudent on DNSSEC signers.  Do you (or
others) have a view on this?

Best wishes,

More information about the bind-users mailing list