Bind 9.16.33 startup problem
Petr Špaček
pspacek at isc.org
Tue Oct 4 07:52:11 UTC 2022
On 04. 10. 22 9:38, Sami Leino wrote:
> Hi,
>
> I tried to upgrade Bind from 9.16.32 to 9.16.33 on a Windows Server 2016. Service failed to start with several similar errors in event log;
>
> named.conf:411: 'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone
>
> On those lines which error occurs I have
>
> dnssec-policy "ecdsa256";
>
> With 9.16.32 and exactly same configuration Bind starts normally without any errors. This is Master NS.
>
> Other two slave name servers (Windows 2019) starts up 9.16.33 normally without any errors.
>
> Anyone else having the same problem and any clue how to fix it?
If your zone is static (without update-policy or allow-update) then you
need to add "inline-signing yes;" into the zone definition(s) which use
dnssec-policy.
Why? This is consequence of fix for dnssec-policy.
The relevant release notes are here:
https://bind9.readthedocs.io/en/v9_16_33/notes.html#feature-changes
"Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]"
We apologize for problems this is causing. It was a hard choice and we
decided this is lesser of two evils. (An alternative was to let the zone
break silently later when updates are eventually allowed.)
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list