Bind 9.11.13 - inline re-signing stops

Matthew Richardson matthew-l at
Thu Mar 5 17:20:57 UTC 2020

Firstly a big thank you to Mark and Ondrej for their assistance, which
tracked down the issue.  I understand will be fixed in the next releases.

My particular issue seemed to relate to the unsigned zonefiles being
touched (by my automation) without the contents changing, followed by an
"rndc reload".  This caused some domains to stop re-signing, the symptom of
which could be seen by the lack of "next key event:" in the logs for the
failing domains.

It turned out that "rndc reconfig" fixed the issue, making it easy to work
around the problem.

Best wishes,

>From: Matthew Richardson <matthew-l at>
>To: BIND Users <bind-users at>
>Date: Sat, 22 Feb 2020 19:49:22 +0000
>Subject: Re: Bind 9.11.13 - inline re-signing stops

>Dear Ondrej,
>Thank you for your advice below.  I have attempted a dump on the live
>running server and have uploaded the results to issue #1627.
>If I need to try again, please let me know...  :-)
>There are a few more days before I need to restart Named.
>Best wishes,
> ------
>>From: Ond?ej Surý <ondrej at>
>>To: Matthew Richardson <matthew-l at>
>>Cc: BIND Users <bind-users at>
>>Date: Thu, 20 Feb 2020 18:07:50 +0100
>>Subject: Re: Bind 9.11.13 - inline re-signing stops
>>Hi Matthew,
>>we’ll write some generic instruction on how to get a coredump from a running named
>>(without crashing it) - generally you want to use gcore[1].
>>Then here you can continue as if the named has crashed and get us a thread stack trace[2].
>>As we need to access very specific data structure, please add the information to the issue
>>you have opened, and we’ll pick it up from there.  You can also share the coredump and the
>>binaries with us using service, but please be aware that the memory dump
>>can (and probably will) contain the DNSSEC signing private keys.

More information about the bind-users mailing list