Hi everyone, today I switched more domains from inline-signing do dnssec-policy and I noticed something that I quite do not like. So I want to ask if that's normal and if there is a way to stop it from happening.
I had this: zone "EXAMPLE.com" { type master; file "master/EXAMPLE.com.zone"; inline-signing yes; auto-dnssec maintain; key-directory "keys"; sig-validity-interval 35 25; update-policy { grant "ABC" name something.EXAMPLE.com TXT; grant local-ddns zonesub any; }; }; Switched to this: zone "EXAMPLE.com" { type master; file "master/EXAMPLE.com.zone"; key-directory "keys/EXAMPLE.com"; dnssec-policy mypolicy; update-policy { grant "ABC" name something.EXAMPLE.com TXT; grant local-ddns zonesub any; }; }; Now the EXAMPLE.com.zone itself was reformated and contains RRSIGs which make it much harder to work with when editing manually - which I need to do from time to time (while doing rndc freeze + rndc thaw) I noticed this is only happening when zone allows dynamic updates. Zones that do not allow dynamic updates are not touched. I have tried to create a fresh new zone, then sign it and the behavior is consistent. Am I doing something wrong? Is there config option, that will tell bind to stop rewriting that zone file? My version is 9.16.26. Thanks Josef -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users