bind makes RRSIG disappear?

[Mark Andrews]

Mark Andrews writes:
> 
> In message <4D4EF872.6070302 at restena.lu>, Gilles Massen writes:
> > Chris,
> > 
> > thanks for the hint, but:
> > 
> > 
> > On 6/2/11 19:20 , Chris Thompson wrote:
> > > On Feb 6 2011, Gilles Massen wrote:
> > >
> > >> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
> > >> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
> > >> out of the blue, Bind decides to claim some authority over the zone:
> > >> the SOA RRSIG (only that one) is scrapped, and this is logged:
> > 
> > [...]
> > 
> > > Presumably you are defining the zone to BIND as "type master".
> > 
> > Yes.
> > 
> > > Does your configuration also have an "allow-update" setting
> > > (other than "none") for it, maybe only for the instance that
> > > is giving you trouble? In that case BIND will take it that you
> > > want it to do resigning as the RRSIGs approach expiry.
> > 
> > The only allow-update is in the options section, and none.
> 
> Get rid of the allow-update and allow the default of no acl to work.

The test that decides that the zone may need to be re-signed doesn't
take the "none;" acl into account.  Currently it is
"if (acl != NULL || ssu != NULL)" and should become
"if ((acl != NULL && !isnone(acl)) || ssu != NULL)".

Mark

> > BTW, the config has not changed in months, only the zone got only 
> > signed. Besides, at least the SOA RRSIG is pretty recent. Other 
> > signatures that disappear are still 7 days from expiry.
> > 
> > Best,
> > Gilles
> > 
> > 
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org