Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)

Daniel Ryslink daniel.ryslink at dialtelecom.cz
Thu Mar 27 10:33:30 UTC 2014 

Hello,

I have the following zone definition included into named.conf:

zone "example.com" in {
type master;
file "master/example.com";
update-policy local;
auto-dnssec maintain;
key-directory "/etc/namedb/keys/";
masterfile-format text;
inline-signing yes;
};

Keys are ready in /etc/namedb/keys/, readable for the named process.

At first, when the zone was not signed at all, all that sufficed was to 
do "rndc loadkeys example.com", and when I later used "rndc signing 
-list example.com", the keys set via
dnssec-settime as active in the keys directory were displayed.

Now, the system reverted into a state where rndc signing -list 
example.com states that no signing records were found. rndc loadkeys 
says nothing, but the return code is 0 (success?). However, when I 
export the new zone file into master/example.com, it is no longer signed 
automatically as before. Manual "rndc sign" still work without problems, 
and results in a zone correctly signed with the active keys. It's only 
the auto mode that was broken.

Also. named.log for bind displays curiously frequent key events:

27-Mar-2014 08:36:01.899 general: info: zone example.com/IN (signed): 
next key event: 27-Mar-2014 09:36:01.895
27-Mar-2014 08:39:01.633 general: info: zone example.com/IN (signed): 
reconfiguring zone keys
27-Mar-2014 08:39:01.637 general: info: zone example.com/IN (signed): 
next key event: 27-Mar-2014 09:39:01.633
27-Mar-2014 08:41:01.825 general: info: zone example.com/IN (signed): 
reconfiguring zone keys
27-Mar-2014 08:41:01.829 general: info: zone example.com/IN (signed): 
next key event: 27-Mar-2014 09:41:01.825
27-Mar-2014 08:48:01.447 general: info: zone example.com/IN (signed): 
reconfiguring zone keys
27-Mar-2014 08:48:01.450 general: info: zone example.com/IN (signed): 
next key event: 27-Mar-2014 09:48:01.447
27-Mar-2014 08:52:02.094 general: info: zone example.com/IN (signed): 
reconfiguring zone keys
27-Mar-2014 08:52:02.097 general: info: zone example.com/IN (signed): 
next key event: 27-Mar-2014 09:52:02.094
27-Mar-2014 09:52:02.100 general: info: zone example.com/IN (signed): 
reconfiguring zone keys

Why a key event every five minutes, when TTL of the records is 6 hours?

Many thanks in advance to anyone who could possibly bring some insight 
into the problem.

PS.: The name of the actual domain was obviously changed to protect our 
customers.

-- 
Best regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

More information about the bind-users mailing list