I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My configuration is:
options { directory "/tmp/bind"; key-directory "/tmp/bind"; }; zone "example" { type master; file "example"; inline-signing yes; auto-dnssec maintain; }; Apparently, everything works. The key I created and put in /tmp/bind is used, the zone is signed, everyone is happy. But I get messages: 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures. Which I do not understand. They key is there: % ls -lt /tmp/bind/Kexample.+008+46747* -rw-r--r-- 1 bortzmeyer bortzmeyer 597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key -rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private And is certainly active: % cat /tmp/bind/Kexample.+008+46747.key ; This is a key-signing key, keyid 46747, for example. ; Created: 20130723100005 (Tue Jul 23 12:00:05 2013) ; Publish: 20130723100005 (Tue Jul 23 12:00:05 2013) ; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013) ... And, despite the message "retaining signatures", signatures *are* regenerated periodically, even after the warning: example. 600 IN RRSIG DNSKEY 8 1 600 20130725045802 ( 20130724043925 46747 example. rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte ... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users