On Tue 12/Nov/2019 13:39:30 +0100 Jim Popovitch via bind-users wrote: > On 11/12/19 4:42 AM, Alessandro Vesely wrote: >> Hi, >> >> I have a signed domain, with inline-signing yes and auto-dnssec maintain. >> >> Although the domain is static, the .signed and .signed.jnl files are being >> rewritten without apparent reason. They are about a month newer than the >> corresponding .jbk and base files. >> >> I notice that because of tripwire complaints. I guess I have to tweak that >> config, unless there's a way to prevent or foresee those rewritings. >> > > I use this in twpol.txt: > > { > /etc -> $(SEC_BIN) (recurse=true) ; > !/etc/bind/zone ; > > ....
Yeah, that's a possibility. Not that I rely on tripwire more than I should, but leaving the zone outside the controlled area means to blindly sign whatever happens to be in the zone. Best Ale -- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users