bind makes RRSIG disappear?

[Evan Hunt]

> >BIND will try to maintain the signatures in a zone if the zone is
> >configured to be dynamic--i.e, if it has an update-policy or allow-update
> >option.  It won't create signatures where there were none, but it will try
> >to keep existing RRSIGs up to date for you.
> 
> Not that I would need it, but doesn't this prevent someone from 
> dynamically updating (including signatures) a signed zone?

The reasoning is that if the zone is dynamic and named can see your private
key, then that's a hint that you would like named to keep your signatures
from expiring.  (Because after all, why wouldn't you?)

But, even if the zone is dynamic, if named can't see the private key, then
it should leave your RRSIGs alone.  If that's not how it's behaving, that's
a bug, and we'll address it very soon.

> I'd see this as a symptom: I would really prefer if this kind of magic 
> only kicked in if explicitly enabled. Or, if that's not possibly for 
> usability reason, have a config switch like "don't touch my data - ever".

I agree that option would be a good thing to have.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.