Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.

Richard T.A. Neal richard at richardneal.com
Fri Apr 17 12:57:27 UTC 2026 

Hi Benoit,

I'm a little late to the party on this discussion, but I wrote the following article a few years ago which explains how to setup DNSSEC ,including zone signing, on BIND 9.19:

https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/

I haven't revalidated this against BIND 9.20 but it might help you work out what's going on in your setup. It also explains where the key files are stored.

Best,
Richard.
________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Benoît Panizzon <benoit.panizzon at imp.ch>
Sent: 17 April 2026 13:04
To: Peter Davies <peterd at isc.org>
Cc: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.

Hi Peter

>    Run from the primary what do the following commands return
> dig @127.0.0.1 example.com +dnssec
> dig @127.0.0.1 example.com soa +dnssec

No dnssec related entries.

I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and
probably got confused by the statement, that only adding:

dnssec-policy default;

Would get a unsigned zone signed. Hey wait! No dnssec-keygen
to create the keys?

The default policy specifies what kind of keys to use etc. So maybe I
got too far and created keys which were not necessary? Would they be
created on the fly by what is specified in the policy?

So I went ahead, started over and deleted the keys I had manually
created with dnssec-keygen for that zone in /etc/bind/keys which
worked for dynamic updates.

froze / sync -clean zonefile, delete .signed files.

Incremented serial in the plain unsigned file.

rndc reconfig
rndc thaw zone

(unsigned): loaded serial 2007126014
(signed): could not get zone keys for secure dynamic update
(signed): serial 2007126014 (unsigned 2007126014)
(signed): sending notifies (serial 2007126014)

Oh well, it needs the key files - at least for dynamic updates to work.
But why is it telling (signed)? Were the keys autocreated? Where?

Can't find them in /etc/bind/keys nor in the debian /var/cache/bind
directory where the zonefiles reside.

rndc signing -list still states "No signing records found"

I guess I'm missing some small crucial detail.

--
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260417/ca93e9a5/attachment.htm>

More information about the bind-users mailing list