Thanks Mark for your quick response. On page 29 of the Bv9-12-3-P1ARM I had seen the following, which is why I thought that I "needed" to have one of those statements:
" Using the auto-dnssec option requires the zone to be configured to allow dynamic updates, by adding an allow-update or update-policy statement to the zone configuration. If this has not been done, the configuration will fail." I was looking to do fully automatic signing using auto-dnssec maintain;. If that is not possible I could still live with an rndc-based approach if required. I will try this out in the morning. Thanks again! Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: March-18-19 8:40 PM To: LeBlanc, Daniel James Cc: bind-users@lists.isc.org Subject: Re: ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing You don’t need update-policy local. In inline-signing mode named maintains its own copy of the zone with the DNSSEC records in addition to the copy from upstream. DNSSEC is controlled by rndc. > On 19 Mar 2019, at 10:33 am, LeBlanc, Daniel James > <daniel.lebl...@bellaliant.ca> wrote: > > Hello All. > > I have a pair of ISC BIND 9.12.3-P1 servers that are configured as slaves to > a pair of Hidden Master servers. The Hidden Masters are a proprietary > product and unfortunately when used to sign the zones, the SOA records are > not populated as expected. As a result, I was looking into signing the zones > within ISC BIND instead. Reviewed the literature, came up with a plan and > the required configuration changes. However, things are not proceeding as I > had hoped… > > If I include required statements within the zone options BIND complained that > update-policy local is not permitted in a zone of type slave (and failed to > start): > > key-directory "keys/externals/{{ zone.zonename }}"; > inline-signing yes; > auto-dnssec maintain; > update-policy local; > > So I switched it out for the allow-update { localhost; };, and BIND > complained that allow-update is not permitted in a zone of type slave (and > failed to start). > > So I changed my zone type from slave to master (recall that these BIND > instances are intended to be slaved off of the Hidden Masters), and BIND > complained that masters statements were not permitted in zones of type master > (meaning that updates would not be accepted). > > Is there a way for me to sign the zones on the slave servers, even though I > intend to provision content into those same zones on the proprietary Hidden > Masters? > > Thanks. > > Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users