Bind keeps adding RRSIGs to zone file after switching to dnssec policy

Josef Vybíhal josef.vybihal at gmail.com
Sun Mar 6 09:46:16 UTC 2022 

Thanks! That worked as expected. I blindly removed inline-signing
without thinking about what it actually does.
https://kb.isc.org/docs/aa-00626
J.

On Sun, Mar 6, 2022 at 2:11 AM Mark Andrews <marka at isc.org> wrote:
>
> You switched your server from ‘auto-dnssec maintain;’ to ‘dnssec-policy mypolicy;’
> and removed ‘inline-signing yes;’.  Put back ‘inline-signing yes;’ if you want named to maintain two instances of the zone.
>
> --
> Mark Andrews
>
> > On 6 Mar 2022, at 03:49, Josef Vybíhal <josef.vybihal at gmail.com> wrote:
> >
> > Hi everyone,
> > today I switched more domains from inline-signing do dnssec-policy and
> > I noticed something that I quite do not like. So I want to ask if
> > that's normal and if there is a way to stop it from happening.
> >
> > I had this:
> > zone "EXAMPLE.com" {
> >    type master;
> >    file "master/EXAMPLE.com.zone";
> >    inline-signing yes;
> >    auto-dnssec maintain;
> >    key-directory "keys";
> >    sig-validity-interval 35 25;
> >    update-policy {
> >        grant "ABC" name something.EXAMPLE.com TXT;
> >        grant local-ddns zonesub any;
> >    };
> > };
> >
> >
> > Switched to this:
> > zone "EXAMPLE.com" {
> >    type master;
> >    file "master/EXAMPLE.com.zone";
> >    key-directory "keys/EXAMPLE.com";
> >    dnssec-policy mypolicy;
> >    update-policy {
> >        grant "ABC" name something.EXAMPLE.com TXT;
> >        grant local-ddns zonesub any;
> >    };
> > };
> >
> > Now the EXAMPLE.com.zone itself was reformated and contains RRSIGs
> > which make it much harder to work with when editing manually - which I
> > need to do from time to time (while doing rndc freeze + rndc thaw)
> >
> > I noticed this is only happening when zone allows dynamic updates.
> > Zones that do not allow dynamic updates are not touched.
> >
> > I have tried to create a fresh new zone, then sign it and the behavior
> > is consistent.
> >
> > Am I doing something wrong? Is there config option, that will tell
> > bind to stop rewriting that zone file?
> >
> > My version is 9.16.26.
> >
> >
> > Thanks
> > Josef
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list