Re: Bind keeps adding RRSIGs to zone file after switching to dnssec policy

Sat, 05 Mar 2022 17:11:48 -0800 

You switched your server from ‘auto-dnssec maintain;’ to ‘dnssec-policy 
mypolicy;’
and removed ‘inline-signing yes;’.  Put back ‘inline-signing yes;’ if you want 
named to maintain two instances of the zone. 

-- 
Mark Andrews

> On 6 Mar 2022, at 03:49, Josef Vybíhal <josef.vybi...@gmail.com> wrote:
> 
> Hi everyone,
> today I switched more domains from inline-signing do dnssec-policy and
> I noticed something that I quite do not like. So I want to ask if
> that's normal and if there is a way to stop it from happening.
> 
> I had this:
> zone "EXAMPLE.com" {
>    type master;
>    file "master/EXAMPLE.com.zone";
>    inline-signing yes;
>    auto-dnssec maintain;
>    key-directory "keys";
>    sig-validity-interval 35 25;
>    update-policy {
>        grant "ABC" name something.EXAMPLE.com TXT;
>        grant local-ddns zonesub any;
>    };
> };
> 
> 
> Switched to this:
> zone "EXAMPLE.com" {
>    type master;
>    file "master/EXAMPLE.com.zone";
>    key-directory "keys/EXAMPLE.com";
>    dnssec-policy mypolicy;
>    update-policy {
>        grant "ABC" name something.EXAMPLE.com TXT;
>        grant local-ddns zonesub any;
>    };
> };
> 
> Now the EXAMPLE.com.zone itself was reformated and contains RRSIGs
> which make it much harder to work with when editing manually - which I
> need to do from time to time (while doing rndc freeze + rndc thaw)
> 
> I noticed this is only happening when zone allows dynamic updates.
> Zones that do not allow dynamic updates are not touched.
> 
> I have tried to create a fresh new zone, then sign it and the behavior
> is consistent.
> 
> Am I doing something wrong? Is there config option, that will tell
> bind to stop rewriting that zone file?
> 
> My version is 9.16.26.
> 
> 
> Thanks
> Josef
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to