Debug logging for auto-dnssec inline signing
Tony Finch
dot at dotat.at
Mon Nov 11 12:45:16 UTC 2019
Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
> What "category" should one be logging in order to get details of DNSSEC
> inline signing when running Bind 9.8.11?
I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has
been unsupported for ages.
Yes, there is not very much logging automatic zone signing. I think that
has been improved a bit in 9.15 but I haven't looked at it in detail.
> I have an authoratitive master server with a number of domains set with:-
>
> inline-signing yes;
> auto-dnssec maintain;
>
> and have a suspicion that Bind has simply stopped re-signing most of them.
There have been some bugs in this area which were fixed in 9.13.3 and that
don't appear in the 9.11 branch - but I don't know if the fixes are
relevant to 9.11.
See changes 5015, 5014, 5004
https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Shetland Isles: East 5 to 7, backing northeast 6 to gale 8. Moderate or rough,
becoming rough or very rough later, occasionally high in west. Rain or
showers. Moderate or good, occasionally poor.
More information about the bind-users
mailing list