Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.

Fri Apr 17 13:11:13 UTC 2026

Hi Benoît,
    If you are using the “default” dnssec-policy and there are no keys, 
BIND will
attempt to create them automatically if it can.

You should see the private, key, and stat files that look something like 
this in
the key-directory:
Kexample.com.+013+?????.key
Kexample.com.+013+?????.private
Kexample.com.+013+?????.state

With dnssec logging configured with severity "info"  you should see 
something
similar to:
17-Apr-2026 12:53:38.469 dnssec: info: zone example.com/IN (signed): 
reconfiguring zone keys
17-Apr-2026 12:53:38.470 dnssec: info: keymgr: DNSKEY 
example.com/ECDSAP256SHA256/23930 (CSK) created for policy default
17-Apr-2026 12:53:38.471 dnssec: info: Fetching 
example.com/ECDSAP256SHA256/23930 (CSK) from key repository.
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY 
example.com/ECDSAP256SHA256/23930 (CSK) is now published
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY 
example.com/ECDSAP256SHA256/23930 (CSK) is now active
17-Apr-2026 12:53:38.572 dnssec: info: zone example.com/IN (signed): 
next key event: 17-Apr-2026 14:58:38.469

The rndc commands to check the status of a signed  zone are:
  rndc dnssec -status example.com
  rndc zonestatus example.com

/Peter

On 17/04/2026 11.37, Benoît Panizzon wrote:
> Hi Bind gang!
>
> After upgrading to 9.20 I disabled default inline singing to get my
> stuff working again.
>
> Now I decided having a shot at inline signing but despite trying to
> follow different guides I always get stuck at the same place.
>
> I have an unsigned zone file, keys with correct permissions etc.
>
> zone "example.com" {
>          type master;
>          file "example.com";
>          allow-update {
>                  key update-key;
>          };
>          allow-transfer { secondaries; };
>          dnssec-policy default;
>          key-directory "/etc/bind/keys";
> };
>
> When I issue rndc reconfig after this, I see those lines in the log,
> which to me, look good...
>
> (unsigned): loaded serial 2007126012
> (signed): serial 2007126013 (unsigned 2007126012)
> (signed): sending notifies (serial 2007126013)
>
> example.com.signed
> example.com.signed.jnl
>
> were created.
>
> But when I check he zone on the secondaries, it's not signed. Same when
> I get the zone by doing a AXFR from the primary - no RRSIG entries.
>
> When I issue rndc signing -list example.com I get
>
> No signing records found
>
> according to the examples, I should get 'done signing'.
>
> I tried: rndc sign example.com to force sign the zone. Nothing changes.
>
> When I add an entry with nsupdate then that one entry is signed and the
> SOA also is getting signed as the serial incremented.
>
> What could I be missing?
>
-- 
Peter Davies
Support Engineer
Internet Systems Corporation
peterd at isc.org
001 650-423-1460