bind makes RRSIG disappear?

[Gilles Massen]

Evan,

Thanks for outlining this - it's much clearer now.

> BIND will try to maintain the signatures in a zone if the zone is
> configured to be dynamic--i.e, if it has an update-policy or allow-update
> option.  It won't create signatures where there were none, but it will try
> to keep existing RRSIGs up to date for you.

Not that I would need it, but doesn't this prevent someone from 
dynamically updating (including signatures) a signed zone?

> The "auto-dnssec" option relates to automated changes based on timing
> metadata stored with the key.  For example, you can schedule a key to be
> published on a certain date, and named will insert the DNSKEY record into
> the zone at the right time; or, you can schedule a key to become active,
> and named will start signing with it.  But routine RRSIG maintenance
> happens in *any* dynamic zone, with or without "auto-dnssec".
>
> Having RRSIGs disappear from a zone when there's no private key available
> for re-signing is probably a problem (at least, it would seem to violate
> the principle of least astonishment).  I'll look into that.

I'd see this as a symptom: I would really prefer if this kind of magic 
only kicked in if explicitly enabled. Or, if that's not possibly for 
usability reason, have a config switch like "don't touch my data - ever".

Best,
Gilles

--
Fondation RESTENA