Tony Finch <[email protected]> wrote:- >> What "category" should one be logging in order to get details of DNSSEC >> inline signing when running Bind 9.8.11? > >I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has >been unsupported for ages.
Correct - I need to practice my proof reading skills :-( >Yes, there is not very much logging automatic zone signing. I think that >has been improved a bit in 9.15 but I haven't looked at it in detail. Hopefully some helpful ISC person will be along shortly with better particulars of the logging available for automatic signing in both 9.11 & later releases. I do seem to recall reading that RIPE chose Knot over Bind for DNS signing related to the logging. >> I have an authoratitive master server with a number of domains set with:- >> >> inline-signing yes; >> auto-dnssec maintain; >> >> and have a suspicion that Bind has simply stopped re-signing most of them. It turns out that I became nervous one day before I should have. The zones in question were re-signed overnight. >There have been some bugs in this area which were fixed in 9.13.3 and that >don't appear in the 9.11 branch - but I don't know if the fixes are >relevant to 9.11. > >See changes 5015, 5014, 5004 >https://gitlab.isc.org/isc-projects/bind9/blob/v9_13_3/CHANGES Those are indeed interesting, thanks. Perhaps this suggests that sticking with the ESV version might be less prudent on DNSSEC signers. Do you (or others) have a view on this? Best wishes, Matthew _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
