Bind keeps adding RRSIGs to zone file after switching to dnssec policy
Josef Vybíhal
josef.vybihal at gmail.com
Sat Mar 5 16:48:39 UTC 2022
Hi everyone,
today I switched more domains from inline-signing do dnssec-policy and
I noticed something that I quite do not like. So I want to ask if
that's normal and if there is a way to stop it from happening.
I had this:
zone "EXAMPLE.com" {
type master;
file "master/EXAMPLE.com.zone";
inline-signing yes;
auto-dnssec maintain;
key-directory "keys";
sig-validity-interval 35 25;
update-policy {
grant "ABC" name something.EXAMPLE.com TXT;
grant local-ddns zonesub any;
};
};
Switched to this:
zone "EXAMPLE.com" {
type master;
file "master/EXAMPLE.com.zone";
key-directory "keys/EXAMPLE.com";
dnssec-policy mypolicy;
update-policy {
grant "ABC" name something.EXAMPLE.com TXT;
grant local-ddns zonesub any;
};
};
Now the EXAMPLE.com.zone itself was reformated and contains RRSIGs
which make it much harder to work with when editing manually - which I
need to do from time to time (while doing rndc freeze + rndc thaw)
I noticed this is only happening when zone allows dynamic updates.
Zones that do not allow dynamic updates are not touched.
I have tried to create a fresh new zone, then sign it and the behavior
is consistent.
Am I doing something wrong? Is there config option, that will tell
bind to stop rewriting that zone file?
My version is 9.16.26.
Thanks
Josef
More information about the bind-users
mailing list