auto-dnssec maintain and no key: no error message?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 30 14:39:14 UTC 2013 

When I run a BIND with "auto-dnssec maintain" and "inline-signing
yes", if I create no key, there is no error message and, worse, the
log file says the zone is signed:

Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): loaded serial 2013073000
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): loaded serial 2013073000
Jul 30 16:31:42 u12-33673 named[1605]: all zones loaded
Jul 30 16:31:42 u12-33673 named[1605]: running
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): receive_secure_serial: unchanged
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): reconfiguring zone keys
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): next key event: 30-Jul-2013 17:31:42.009
Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): sending notifies (serial 2013073000)

Of course, there is no signature:

% dig +multi @localhost SOA auto.rd.nic.fr

; <<>> DiG 9.9.2-P1 <<>> +multi @localhost SOA auto.rd.nic.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57439
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;auto.rd.nic.fr.		IN SOA

;; ANSWER SECTION:
auto.rd.nic.fr.		86400 IN SOA 10.200.0.73. bortzmeyer.nic.fr. (
				2013073000 ; serial
				30480      ; refresh (8 hours 28 minutes)
				26400      ; retry (7 hours 20 minutes)
				2419200    ; expire (4 weeks)
				86400      ; minimum (1 day)
				)

;; AUTHORITY SECTION:
auto.rd.nic.fr.		86400 IN NS ns1.bortzmeyer.org.
auto.rd.nic.fr.		86400 IN NS ns1.auto.rd.nic.fr.

;; ADDITIONAL SECTION:
ns1.auto.rd.nic.fr.	86400 IN A 109.26.74.172

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 30 16:38:00 2013
;; MSG SIZE  rcvd: 167

IMHO, BIND should clearly log there is something missing.

BIND 9.9.2-P1 (the version in the last Ubuntu server)

More information about the bind-users mailing list