The signed domain file rewritten
vesely at tana.it
Tue Nov 12 18:21:21 UTC 2019
On Tue 12/Nov/2019 13:39:30 +0100 Jim Popovitch via bind-users wrote:
> On 11/12/19 4:42 AM, Alessandro Vesely wrote:
>> I have a signed domain, with inline-signing yes and auto-dnssec maintain.
>> Although the domain is static, the .signed and .signed.jnl files are being
>> rewritten without apparent reason. They are about a month newer than the
>> corresponding .jbk and base files.
>> I notice that because of tripwire complaints. I guess I have to tweak that
>> config, unless there's a way to prevent or foresee those rewritings.
> I use this in twpol.txt:
> /etc -> $(SEC_BIN) (recurse=true) ;
> !/etc/bind/zone ;
Yeah, that's a possibility.
Not that I rely on tripwire more than I should, but leaving the zone outside
the controlled area means to blindly sign whatever happens to be in the zone.
More information about the bind-users