auto-dnssec maintain and no key: no error message?
Evan Hunt
each at isc.org
Tue Jul 30 17:55:47 UTC 2013
> When I run a BIND with "auto-dnssec maintain" and "inline-signing
> yes", if I create no key, there is no error message and, worse, the
> log file says the zone is signed:
Thanks for pointing this out. It's not really an error, but the log
should certainly be clearer about what's going on.
An inline-signing zone is represented internally as *two* zone objects, one
to hold the original unsigned data, and the other the signed. These zones
are differentiated in the log file by the labels "(unsigned)" and
"(signed)", regardless of whether signing in fact taken place yet.
A zone that is to be signed, but can't find a key to sign with, simply
waits quietly until a key is provided. Presumably you're planning to
create the keys and run "rndc loadkeys" later. We ought to be logging
this condition, but it's not an error.
If you report this to bind9-bugs at isc.org we'll address it.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list