debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes

Matthijs Mekking matthijs at
Mon Aug 16 08:32:35 UTC 2021


On 16-08-2021 04:28, raf via bind-users wrote:
> On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <bind at> wrote:
> So it's looking good and I'm happy now. But how long
> after the zone has been signed can I expect to see
> CDS/CDNSKEY RRs appear? Why aren't they created at
> the same time as the DNSKEY RRs? I assume there's
> a good reason but I can't think what it is.

First the RRsets with signatures need to be in the zone long enough that 
any cached unsigned RRsets in resolver's caches have expired.

If you call 'rndc dnssec -status <zone>' you might see that the "zone 
rrsigs" are still in the "rumoured" state. Once they are omnipresent, 
the DS may be submitted and that is the time when the corresponding 
CDS/CDNSKEY records will be published.

> Also, please document the dangers of putting a
> dnssec-policy usage directive in the options {} stanza
> (unless something signficant has changed since version
> 9.16.15, and bind now knows not to sign zones that
> really shouldn't be signed locally - but even if that's
> the case, you could document what version that changed in).

That's a good addition. There are a bunch of other suggestions to 
improve the documentation that I am planning to make and I'll add this 
suggestion to the list. Thanks.

> Thanks again for making DNSSEC so easy to implement
> (as long as you avoid classic rookie errors). :-)

Thanks for trying it out and reporting back, this way we can improve it 
even more.

Best regards,


> cheers,
> raf
> _______________________________________________
> Please visit to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at for more information.
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list