Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Benoît Panizzon
benoit.panizzon at imp.ch
Fri Apr 17 09:37:42 UTC 2026
Hi Bind gang!
After upgrading to 9.20 I disabled default inline singing to get my
stuff working again.
Now I decided having a shot at inline signing but despite trying to
follow different guides I always get stuck at the same place.
I have an unsigned zone file, keys with correct permissions etc.
zone "example.com" {
type master;
file "example.com";
allow-update {
key update-key;
};
allow-transfer { secondaries; };
dnssec-policy default;
key-directory "/etc/bind/keys";
};
When I issue rndc reconfig after this, I see those lines in the log,
which to me, look good...
(unsigned): loaded serial 2007126012
(signed): serial 2007126013 (unsigned 2007126012)
(signed): sending notifies (serial 2007126013)
example.com.signed
example.com.signed.jnl
were created.
But when I check he zone on the secondaries, it's not signed. Same when
I get the zone by doing a AXFR from the primary - no RRSIG entries.
When I issue rndc signing -list example.com I get
No signing records found
according to the examples, I should get 'done signing'.
I tried: rndc sign example.com to force sign the zone. Nothing changes.
When I add an entry with nsupdate then that one entry is signed and the
SOA also is getting signed as the serial incremented.
What could I be missing?
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
More information about the bind-users
mailing list