Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Peter Davies
peterd at isc.org
Fri Apr 17 10:45:44 UTC 2026
Hi Benoît,
Run from the primary what do the following commands return
dig @127.0.0.1 example.com +dnssec
dig @127.0.0.1 example.com soa +dnssec
/Peter
On 17/04/2026 11.37, Benoît Panizzon wrote:
> Hi Bind gang!
>
> After upgrading to 9.20 I disabled default inline singing to get my
> stuff working again.
>
> Now I decided having a shot at inline signing but despite trying to
> follow different guides I always get stuck at the same place.
>
> I have an unsigned zone file, keys with correct permissions etc.
>
> zone "example.com" {
> type master;
> file "example.com";
> allow-update {
> key update-key;
> };
> allow-transfer { secondaries; };
> dnssec-policy default;
> key-directory "/etc/bind/keys";
> };
>
> When I issue rndc reconfig after this, I see those lines in the log,
> which to me, look good...
>
> (unsigned): loaded serial 2007126012
> (signed): serial 2007126013 (unsigned 2007126012)
> (signed): sending notifies (serial 2007126013)
>
> example.com.signed
> example.com.signed.jnl
>
> were created.
>
> But when I check he zone on the secondaries, it's not signed. Same when
> I get the zone by doing a AXFR from the primary - no RRSIG entries.
>
> When I issue rndc signing -list example.com I get
>
> No signing records found
>
> according to the examples, I should get 'done signing'.
>
> I tried: rndc sign example.com to force sign the zone. Nothing changes.
>
> When I add an entry with nsupdate then that one entry is signed and the
> SOA also is getting signed as the serial incremented.
>
> What could I be missing?
>
--
Peter Davies
Support Engineer
Internet Systems Corporation
peterd at isc.org
001 650-423-1460
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260417/82f12a8b/attachment.htm>
More information about the bind-users
mailing list