OT: Bind 9.9.0B1 Inline-Signing Question

Evan Hunt each at isc.org
Thu Nov 10 22:16:37 UTC 2011 

> I know that this isn't the forum for betas

Sure it is. :)

> We have been testing with the alphas and now with the beta. What we are
> seeing is that whenever named starts, it initially creates the signed
> static zone file, but never really finishes.

What do you mean by "never really finishes"?

What are the options that are set for the static zone?  You should have
these:

        auto-dnssec maintain;
        inline-signing yes;
        key-directory "<dir>";

...with <dir> set to the location of the DNSSEC signing keys for your
zone, including at least one KSK and one ZSK, both of which are set to
be published and active.

> 10-Nov-2011 14:38:14.766 general: error: zone xxxxxx.org/IN (signed): not loaded due to errors.
[...]
> 10-Nov-2011 14:38:14.768 general: info: zone xxxxxx.org/IN (signed): loaded serial 2011110905

There are two versions of the xxxxx.org zone.  One is the "unsigned"
(or "raw") version, which holds the data loaded from your master file.  The
other is the "signed" version, which contains a copy of the raw version
*plus* all the DNSSEC data; this is the one that answers queries.

If you configure zone xxxxxx.org to use the masterfile "xxxxxx.db", then the
unsigned version of the zone is loaded from that file.  The signed version
of the zone will be loaded from "xxxxxx.org.signed.".

The error referred to in the first log message above is probably that
"xxxxxx.org.signed" doesn't exist.  Since there's no masterfile to load
the signed version of the zone from, named will go about creating one for
you.  So the error being logged isn't really an error, it just looks like
one; we should probably see about silencing it.

At this point, named walks through the unsigned version of the zone, adds
RRSIG and NSEC records, and generates a delta which is then applied to the
signed version of the zone.  After that, the signed version of the zone is
fully populated and ready to answer queries.  You should then be able to
run "dig +dnssec @localhost xxxxxx.org dnskey" and see your signing keys
and their signatures.  (If you don't, I'd check to make sure your keys
are in the right place, accessible to named, and published and active.)

The next time you start your server up, the "not loaded due to errors"
message should have gone away.  (If it hasn't, then something may have
prevented the signed zone's masterfile from being created properly,
and I would check directory permissions.)

When you modify your static zone file and run 'rndc reload', named
will detect the changes that you've made via the same mechanism as
ixfr-from-differences, generate signatures for the new records, and
add those to the signed version of the zone automatically.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list