Debug logging for auto-dnssec inline signing
Matthew Richardson
matthew-l at itconsult.co.uk
Mon Nov 11 17:24:13 UTC 2019
Tony Finch <dot at dotat.at> wrote:-
>> What "category" should one be logging in order to get details of DNSSEC
>> inline signing when running Bind 9.8.11?
>
>I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has
>been unsupported for ages.
Correct - I need to practice my proof reading skills :-(
>Yes, there is not very much logging automatic zone signing. I think that
>has been improved a bit in 9.15 but I haven't looked at it in detail.
Hopefully some helpful ISC person will be along shortly with better
particulars of the logging available for automatic signing in both 9.11 &
later releases.
I do seem to recall reading that RIPE chose Knot over Bind for DNS signing
related to the logging.
>> I have an authoratitive master server with a number of domains set with:-
>>
>> inline-signing yes;
>> auto-dnssec maintain;
>>
>> and have a suspicion that Bind has simply stopped re-signing most of them.
It turns out that I became nervous one day before I should have. The zones
in question were re-signed overnight.
>There have been some bugs in this area which were fixed in 9.13.3 and that
>don't appear in the 9.11 branch - but I don't know if the fixes are
>relevant to 9.11.
>
>See changes 5015, 5014, 5004
>https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES
Those are indeed interesting, thanks. Perhaps this suggests that sticking
with the ESV version might be less prudent on DNSSEC signers. Do you (or
others) have a view on this?
Best wishes,
Matthew
More information about the bind-users
mailing list