Bind 9.11.13 - inline re-signing stops
matthew-l at itconsult.co.uk
Thu Mar 5 17:20:57 UTC 2020
Firstly a big thank you to Mark and Ondrej for their assistance, which
tracked down the issue. I understand will be fixed in the next releases.
My particular issue seemed to relate to the unsigned zonefiles being
touched (by my automation) without the contents changing, followed by an
"rndc reload". This caused some domains to stop re-signing, the symptom of
which could be seen by the lack of "next key event:" in the logs for the
It turned out that "rndc reconfig" fixed the issue, making it easy to work
around the problem.
>From: Matthew Richardson <matthew-l at itconsult.co.uk>
>To: BIND Users <bind-users at lists.isc.org>
>Date: Sat, 22 Feb 2020 19:49:22 +0000
>Subject: Re: Bind 9.11.13 - inline re-signing stops
>Thank you for your advice below. I have attempted a dump on the live
>running server and have uploaded the results to issue #1627.
>If I need to try again, please let me know... :-)
>There are a few more days before I need to restart Named.
>>From: Ond?ej Surý <ondrej at isc.org>
>>To: Matthew Richardson <matthew-l at itconsult.co.uk>
>>Cc: BIND Users <bind-users at lists.isc.org>
>>Date: Thu, 20 Feb 2020 18:07:50 +0100
>>Subject: Re: Bind 9.11.13 - inline re-signing stops
>>well write some generic instruction on how to get a coredump from a running named
>>(without crashing it) - generally you want to use gcore.
>>Then here you can continue as if the named has crashed and get us a thread stack trace.
>>As we need to access very specific data structure, please add the information to the issue
>>you have opened, and well pick it up from there. You can also share the coredump and the
>>binaries with us using pandora.isc.org service, but please be aware that the memory dump
>>can (and probably will) contain the DNSSEC signing private keys.
More information about the bind-users