Hi everyone,
today I switched more domains from inline-signing do dnssec-policy and
I noticed something that I quite do not like. So I want to ask if
that's normal and if there is a way to stop it from happening.
I had this:
zone "EXAMPLE.com" {
type master;
file "master/EXAMPLE.com.zone";
inline-signing yes;
auto-dnssec maintain;
key-directory "keys";
sig-validity-interval 35 25;
update-policy {
grant "ABC" name something.EXAMPLE.com TXT;
grant local-ddns zonesub any;
};
};
Switched to this:
zone "EXAMPLE.com" {
type master;
file "master/EXAMPLE.com.zone";
key-directory "keys/EXAMPLE.com";
dnssec-policy mypolicy;
update-policy {
grant "ABC" name something.EXAMPLE.com TXT;
grant local-ddns zonesub any;
};
};
Now the EXAMPLE.com.zone itself was reformated and contains RRSIGs
which make it much harder to work with when editing manually - which I
need to do from time to time (while doing rndc freeze + rndc thaw)
I noticed this is only happening when zone allows dynamic updates.
Zones that do not allow dynamic updates are not touched.
I have tried to create a fresh new zone, then sign it and the behavior
is consistent.
Am I doing something wrong? Is there config option, that will tell
bind to stop rewriting that zone file?
My version is 9.16.26.
Thanks
Josef
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
