bind makes RRSIG disappear?
Gilles Massen
gilles.massen at restena.lu
Sun Feb 6 19:37:22 UTC 2011
Chris,
thanks for the hint, but:
On 6/2/11 19:20 , Chris Thompson wrote:
> On Feb 6 2011, Gilles Massen wrote:
>
>> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
>> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
>> out of the blue, Bind decides to claim some authority over the zone:
>> the SOA RRSIG (only that one) is scrapped, and this is logged:
[...]
> Presumably you are defining the zone to BIND as "type master".
Yes.
> Does your configuration also have an "allow-update" setting
> (other than "none") for it, maybe only for the instance that
> is giving you trouble? In that case BIND will take it that you
> want it to do resigning as the RRSIGs approach expiry.
The only allow-update is in the options section, and none.
BTW, the config has not changed in months, only the zone got only
signed. Besides, at least the SOA RRSIG is pretty recent. Other
signatures that disappear are still 7 days from expiry.
Best,
Gilles
More information about the bind-users
mailing list