What causes named-checkzone to provide ; resign strings?

Gilbert, Stephen sgilbert at mcclatchy.com
Mon Jun 17 18:18:22 UTC 2019 

We have a series of bind9 nameservers (running some 9.9 and some 9.10).  On
our slave zones, which are all reading identical slave zone files, one of
our servers is running the RedHat default bind 9.9.4-74.  The other servers
are running bind compiled directly from isc's source.  When we issue a
named-checkzone on any of the ones compiled straight from isc's source,
after every RRSIG line, we see a ; resign line that contains the date/time
of that resign.  When we issue the same command on RedHat's default, we get
all of the same information, minus that line.  I was wondering if anyone
could tell me what exactly produces that line.  I see in the bind source
code a comment that it is "Only valid if DNS_RDASETATTR_RESIGN is set in
attributes."  Where would this be set?  If it's in the attributes of the
signed zone file, I would think that it should be there, as when any other
server reads the same files the data appears.  Is this some compile time
option? Is there a config file somewhere on the Linux server itself that
needs to set this?  Really any pointer in the right direction would be
appreciated.

Example of the symptom:
first the server running RedHat standard, that does not produce the ;
resign line
[root at rutl800p slaves]# named-checkzone -j -f raw -o - myzone.com
/var/named/slaves/db.myzone.com.signed
zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed)
myzone.com.      3600 IN SOA rutl601p.mylocaldomain.com.
hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600
myzone.com.      3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406
59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf
C4QC1bhM+qRIesK0bkCy02KDHR3YVg==
myzone.com.      3600 IN NS ns1.mydomain.com.

Then the other servers that *do* produce it.
[root at rutl801p slaves]# named-checkzone -j -f raw -o - myzone.com
/var/named/slaves/db.myzone.com.signed
zone myzone.com/IN: loaded serial 1460033625 (DNSSEC signed)
myzone.com.      3600 IN SOA rutl601p.mylocaldomain.com.
hostmaster.mydomain.com. 1460033625 7200 3600 604800 3600
myzone.com.      3600 IN RRSIG SOA 13 2 3600 20190716190406 20190616180406
59573 myzone.com. /HXXeswjocBRCgOftRGwX3EeLYSXXBS8r70oJ/K2rZvn301D7XUKr7nf
C4QC1bhM+qRIesK0bkCy02KDHR3YVg==
; resign=20190716190406
myzone.com.      3600 IN NS ns1.mydomain.com.


Stephen Gilbert

Systems Administrator



P 704-589-0332

E sgilbert at mcclatchy.com <email at mcclatchy.com>
W mcclatchy.com

[image: McClatchy Facebook] <https://www.facebook.com/McClatchyCo/> [image:
McClatchy Twitter] <https://twitter.com/mcclatchy?lang=en> [image:
McClatchy LinkedIn]
<https://www.linkedin.com/company/the-mcclatchy-company/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190617/906b832a/attachment.html>

More information about the bind-users mailing list