Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Benoît Panizzon
benoit.panizzon at imp.ch
Fri Apr 17 12:04:43 UTC 2026
Hi Peter
> Run from the primary what do the following commands return
> dig @127.0.0.1 example.com +dnssec
> dig @127.0.0.1 example.com soa +dnssec
No dnssec related entries.
I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and
probably got confused by the statement, that only adding:
dnssec-policy default;
Would get a unsigned zone signed. Hey wait! No dnssec-keygen
to create the keys?
The default policy specifies what kind of keys to use etc. So maybe I
got too far and created keys which were not necessary? Would they be
created on the fly by what is specified in the policy?
So I went ahead, started over and deleted the keys I had manually
created with dnssec-keygen for that zone in /etc/bind/keys which
worked for dynamic updates.
froze / sync -clean zonefile, delete .signed files.
Incremented serial in the plain unsigned file.
rndc reconfig
rndc thaw zone
(unsigned): loaded serial 2007126014
(signed): could not get zone keys for secure dynamic update
(signed): serial 2007126014 (unsigned 2007126014)
(signed): sending notifies (serial 2007126014)
Oh well, it needs the key files - at least for dynamic updates to work.
But why is it telling (signed)? Were the keys autocreated? Where?
Can't find them in /etc/bind/keys nor in the debian /var/cache/bind
directory where the zonefiles reside.
rndc signing -list still states "No signing records found"
I guess I'm missing some small crucial detail.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
More information about the bind-users
mailing list