Problems with auto-dnssec maintain on BIND 9.9.5 (latest patch, FreeBSD)

[Mark Andrews]

In message <5333FE7A.8030905 at dialtelecom.cz>, Daniel Ryslink writes:
> Hello,
> 
> I have the following zone definition included into named.conf:
> 
> zone "example.com" in {
> type master;
> file "master/example.com";
> update-policy local;
> auto-dnssec maintain;
> key-directory "/etc/namedb/keys/";
> masterfile-format text;
> inline-signing yes;
> };
> 
> Keys are ready in /etc/namedb/keys/, readable for the named process.
> 
> At first, when the zone was not signed at all, all that sufficed was to 
> do "rndc loadkeys example.com", and when I later used "rndc signing 
> -list example.com", the keys set via
> dnssec-settime as active in the keys directory were displayed.
> 
> Now, the system reverted into a state where rndc signing -list 
> example.com states that no signing records were found.

Which is normal.  The signing records record which DNSKEYs are
in the process of signing the entire zone for the first time.
They are not needed after this completes which is why there is
rndc signing --clear.

> rndc loadkeys 
> says nothing, but the return code is 0 (success?). However, when I 
> export the new zone file into master/example.com, it is no longer signed 
> automatically as before.

You are using "inline-signing yes;" the signed version of the zone is
in master/example.com.signed.

> Manual "rndc sign" still work without problems, 
> and results in a zone correctly signed with the active keys. It's only 
> the auto mode that was broken.
> 
> Also. named.log for bind displays curiously frequent key events:
> 
> 27-Mar-2014 08:36:01.899 general: info: zone example.com/IN (signed): 
> next key event: 27-Mar-2014 09:36:01.895
> 27-Mar-2014 08:39:01.633 general: info: zone example.com/IN (signed): 
> reconfiguring zone keys
> 27-Mar-2014 08:39:01.637 general: info: zone example.com/IN (signed): 
> next key event: 27-Mar-2014 09:39:01.633
> 27-Mar-2014 08:41:01.825 general: info: zone example.com/IN (signed): 
> reconfiguring zone keys
> 27-Mar-2014 08:41:01.829 general: info: zone example.com/IN (signed): 
> next key event: 27-Mar-2014 09:41:01.825
> 27-Mar-2014 08:48:01.447 general: info: zone example.com/IN (signed): 
> reconfiguring zone keys
> 27-Mar-2014 08:48:01.450 general: info: zone example.com/IN (signed): 
> next key event: 27-Mar-2014 09:48:01.447
> 27-Mar-2014 08:52:02.094 general: info: zone example.com/IN (signed): 
> reconfiguring zone keys
> 27-Mar-2014 08:52:02.097 general: info: zone example.com/IN (signed): 
> next key event: 27-Mar-2014 09:52:02.094
> 27-Mar-2014 09:52:02.100 general: info: zone example.com/IN (signed): 
> reconfiguring zone keys
> 
> Why a key event every five minutes, when TTL of the records is 6 hours?

Presumably because dnssec-loadkeys-interval is set to 5 minutes.

TTL is how long keys are cached.  It has nothing to do with how often
named looks for new keys (dnssec-loadkeys-interval) or when a key is
scheduled to be added/removed/actived/inactivated which are key events.
 
> Many thanks in advance to anyone who could possibly bring some insight 
> into the problem.
> 
> PS.: The name of the actual domain was obviously changed to protect our 
> customers.

Which of course prevents anyone doing any sanity checking / investigation
on what you are reporting.
 
> -- 
> Best regards,
> Daniel Rylink
> System Administrator
> 
> Dial Telecom a. s.
> Kikova 36a/237
> 186 00 Praha 3, esk Republika
> Tel.:+420.226204627
> daniel.ryslink at dialtelecom.cz
> -----------------------------------------------
> www.dialtelecom.cz
> Dial Telecom, a.s.
> Jednodue se pipojte
> -----------------------------------------------
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org