Primary zone not fully maintained by BIND
Jan-Piet Mens
list at mens.de
Tue May 24 18:57:36 UTC 2022
> dnssec-policy default;
Slightly off-topic, but I believe ISC reccomend using a custom policy instead
of `default' in case the default changes in future.
>view "internal" {
> zone "penguinpee.nl" {
> type primary;
> file "dynamic/penguinpee.nl.internal.zone";
> };
>};
>
>view "external" {
> zone "penguinpee.nl" {
> type primary;
> file "master/penguinpee.nl.zone";
> };
>};
>Using delv, the internal view of the zone fully validated, for SOA, A,
>AAAA etc.
That surprises me a bit; I've always maintained BIND will not validate a
DNSSEC-signed zone it is authoritative for. Unless you mean RRSIGs were
still valid.
>I thought that with 'dnssec-policy default' BIND would take care of
>it. Upon updating the zone, increase the serial number and tell named
>with 'rndc reload zone'. What am I missing?
BIND should be signing the zone(s) with dnssec-policy, yes, and the
dynamically-updateable zone will be signed on update and SOA serial
increased automatically.
I wonder whether it's getting confused (can software get confused? I suppose
so) with the two identically-named zones. If this were my installation and
I had to use views, I'd try specifying distinct policies for the zones
to see if that makes a difference.
-JP
More information about the bind-users
mailing list