Primary zone not fully maintained by BIND
Sandro
lists at penguinpee.nl
Mon May 30 22:16:00 UTC 2022
On 27-05-2022 15:59, Matthijs Mekking wrote:
> Yes, I would recommend key separation (that is use a different
> key-directory per view).
I tried that, gracefully, by setting 'dnssec-policy' to insecure for the
internal view. That gave me some issues. Probably, because I had already
moved the key for the external view to a separate directory.
Anyway, I couldn't withdraw the original key from the internal view and
reverted to the original setup: same key directory and same policy for
both internal and external view of zone penguinpee.nl.
> I am going to investigate your configuration more next week, to see if
> there is a hidden bug.
Thank you for looking into it. If there's anything I can do to assist,
please let me know.
Right now, I have a bunch of RRSIG RRs that are about to expire some
time on 1 June. One thing that caught my eye when I was poking around,
is the output of 'rndc zonestatus. For the internal view I get a date in
the future for 'next resign time'. For the external view, the date is in
the past. Not sure if that's a tell tale sign.
-- Sandro
More information about the bind-users
mailing list