dnssec - rndc list
Tony Finch
dot at dotat.at
Mon Dec 10 15:04:31 UTC 2018
Leonardo Oliveira Ortiz <leonardo.ortiz at marisolsa.com> wrote:
>
> Im configuring DNSSec with nsec3, when i run the first rndc signing
> -list I can check the keys, but when I restart named service this
> command shows nothing... This is a problem?
No, it's benign.
When `named` is signing a zone it puts a couple of extra records at the
zone apex to record its progress. The decoded content of these records is
shown by `rndc signing -list`.
When signing is complete, the special records can be removed, so `rndc
signing -list` will show nothing. That's what `rndc signing -clear` does.
My biggest signed zone is less than 50k records unsigned, and at that size
signing still happens fast enough that I haven't ever managed to catch
`rndc signing -list` while it is in progress :-) Perhaps it's more useful
for NSEC3 with a nonzero hash iteration count...
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
St Davids Head to Great Orme Head, including St Georges Channel: Westerly 3 or
4, backing southerly or southeasterly, 4 or 5, occasionally 6 later. Slight or
moderate. Occasional drizzle later. Good, occasionally moderate later.
More information about the bind-users
mailing list