dnssec-policy behaviour
Kal Feher
dns at securenic.net
Sun Feb 2 09:53:21 UTC 2020
I've been testing the dnssec-policy (9.15.8)feature, but either I've
come across a bug, or my understanding of the configuration is incomplete.
Whenever BIND restarts, it adds a new key (or keys, depending on the
policy) into the configured key directory. It uses this new key or keys
to sign the zone, apparently ignoring previously created keys, although
the DNSKEY records remain within the zone. I have observed the same
behaviour if I initiate an rndc loadkeys <zone>.
I've tried both the default policy and an explicitly configured policy
with the same results.
There's nothing in the logs indicating an error loading previous keys.
Am I missing something?
--
Kal Feher
More information about the bind-users
mailing list