Zone file got updated via named process unexpected
Nick Tait
nick at tait.net.nz
Sun Dec 17 20:18:06 UTC 2023
On 17/12/2023 5:30 pm, liudonghua at ynu.edu.cn wrote:
> I found this zone file got updated in about 15 minutes when I made
> changes or restarted named, and this behavior seems match the docs
> bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can
> confirm I DO NOT configure allow-update or update-policy. I even add
> "allow-update {none;}; // no DDNS by default" in the zone block of the
> problematic view. Is there any chances this configuration comes from
> other config file or named build options?
Are you using DNSSEC with this zone? Your config extract doesn't show
it, but what you described sounds like BIND might be resigning the zone
file and writing the new signed zone over top of the original file? If
so, the solution is to use inline-signing:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
Note that there have been many improvements in BIND's support for DNSSEC
over the last few years, so if this is a server that you've inherited,
it is probably worth reviewing the DNSSEC configuration options to see
if it can be improved?
Nick.
More information about the bind-users
mailing list