Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.

Benoît Panizzon benoit.panizzon at imp.ch
Fri Apr 17 13:34:41 UTC 2026 

Hi Richard & all

> I'm a little late to the party on this discussion, but I wrote the
> following article a few years ago which explains how to setup DNSSEC
> ,including zone signing, on BIND 9.19:
> 
> https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/
> 
> I haven't revalidated this against BIND 9.20 but it might help you
> work out what's going on in your setup. It also explains where the
> key files are stored.

Thank you, very appreciated. I just read your instructions.

Just to be sure, when using inline signing, I don't need to create keys
for the zone, those should be automatically created, right?

This still does not happen. I possible cuplit after reading your guide:
apparmor! aa-teardown, retrying.

Still no joy!

Well let's disclose the actual zone, nothing that sensitive there after
all :-)

Apr 17 15:18:09 magma named[2264557]: received control channel command 'thaw 0-31.57.161.157.in-addr.arpa'
Apr 17 15:18:09 magma named[2264557]: thawing zone '0-31.57.161.157.in-addr.arpa/IN': success
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN (unsigned): loaded serial 2007126016
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN (signed): could not get zone keys for secure dynamic update
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN (signed): serial 2007126016 (unsigned 2007126016)
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN (signed): sending notifies (serial 2007126016)

options {
...
        directory "/var/cache/bind";
        key-directory "/etc/bind/keys";
...
}

zone "0-31.57.161.157.in-addr.arpa" {
        type master;
        file "woody.ch.rev";
        allow-update {
                key woody-update;
        };
        allow-transfer { secondaries; };
        dnssec-policy default;
};

-rw-r--r-- 1 bind bind  2029 17. Apr 15:18 /var/cache/bind/woody.ch.rev
-rw-r--r-- 1 bind bind   712 17. Apr 15:18 /var/cache/bind/woody.ch.rev.jnl
-rw-r--r-- 1 bind bind  2674 17. Apr 15:17 /var/cache/bind/woody.ch.rev.signed
-rw-r--r-- 1 bind bind   712 17. Apr 15:18 /var/cache/bind/woody.ch.rev.signed.jnl

# rndc signing -list 0-31.57.161.157.in-addr.arpa
No signing records found

So... it looks like the signed files are being created.

But, even after tearing down AA I can't find autogenerated key files,
neither in /etc/bind/keys not in /var/cache/bind which could be used
for dynamic updates or to generate the upstream DS records from.

Sidenote: I am aware, that the trust chain is broken because
161.157.in-addr.arpa is not (yet) signed, a zone with hundreds of
include files. But this exercise is the start of it. If inline signing
works as I expect, we could finally just enable signing and not have to
try to find a way to actually manually signing that hell of a zone.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________

More information about the bind-users mailing list