On 04. 10. 22 9:38, Sami Leino wrote:
Hi,
I tried to upgrade Bind from 9.16.32 to 9.16.33 on a Windows Server 2016.
Service failed to start with several similar errors in event log;
named.conf:411: 'dnssec-policy;' requires dynamic DNS or inline-signing to be
configured for the zone
On those lines which error occurs I have
dnssec-policy "ecdsa256";
With 9.16.32 and exactly same configuration Bind starts normally without any
errors. This is Master NS.
Other two slave name servers (Windows 2019) starts up 9.16.33 normally without
any errors.
Anyone else having the same problem and any clue how to fix it?
If your zone is static (without update-policy or allow-update) then you
need to add "inline-signing yes;" into the zone definition(s) which use
dnssec-policy.
Why? This is consequence of fix for dnssec-policy.
The relevant release notes are here:
https://bind9.readthedocs.io/en/v9_16_33/notes.html#feature-changes
"Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]"
We apologize for problems this is causing. It was a hard choice and we
decided this is lesser of two evils. (An alternative was to let the zone
break silently later when updates are eventually allowed.)
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
