bind makes RRSIG disappear?
Mark Andrews
marka at isc.org
Sun Feb 6 21:18:51 UTC 2011
In message <4D4EF872.6070302 at restena.lu>, Gilles Massen writes:
> Chris,
>
> thanks for the hint, but:
>
>
> On 6/2/11 19:20 , Chris Thompson wrote:
> > On Feb 6 2011, Gilles Massen wrote:
> >
> >> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
> >> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
> >> out of the blue, Bind decides to claim some authority over the zone:
> >> the SOA RRSIG (only that one) is scrapped, and this is logged:
>
> [...]
>
> > Presumably you are defining the zone to BIND as "type master".
>
> Yes.
>
> > Does your configuration also have an "allow-update" setting
> > (other than "none") for it, maybe only for the instance that
> > is giving you trouble? In that case BIND will take it that you
> > want it to do resigning as the RRSIGs approach expiry.
>
> The only allow-update is in the options section, and none.
Get rid of the allow-update and allow the default of no acl to work.
> BTW, the config has not changed in months, only the zone got only
> signed. Besides, at least the SOA RRSIG is pretty recent. Other
> signatures that disappear are still 7 days from expiry.
>
> Best,
> Gilles
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list