Problem with zone rsigning in 9.7.0
Roy Badami
roy at gnomon.org.uk
Wed Mar 24 19:30:55 UTC 2010
I have a zone which is DNSSEC signed and is configured as a dynamic
zone (although in practice dynamic updates are not normally used on
this zone). AIUI BIND 9.7.0 should automatically resign the zone as
required as long as the keys are available to it.
However, what I actuallly found is that although all the RRSIG RRs
that signed the zone with the ZSK were automagically regenerated by
BIND, the RRSIG RR that signs the DNSKEY RRset with the KSK was
alllowed to expire. All keys were available to BIND, and the zone was
successfully resigned just by running dnssec-signzone over the zone
with no arguments (except for the zone file name).
Should I expect this to work? Is there anything special I need to set
in the config to get BIND to automatically resign the DNSKEY RRset
with the KSK as well as the ZSK?
Thanks in advance,
-roy
More information about the bind-users
mailing list