Hello and thank you for the reply. Problem 1 - I'll have to investigate further.
As for problem 2 ... it's weird. I was working on another thing and now I was checking permissions by your suggestion, when I noticed the files have new timestamp from a while ago. I compared the contents of the updated files with a previous backup and they seem the same. Tests such as https://dnssec-analyzer.verisignlabs.com/di.ubi.pt also seem to be still fine. So, my conclusion is: Named changes the Kdi.ubi.pt** timestamps according to some criteria. If I do a systemctl restart named-chroot or rdnc reload, the contents also change (and according to a response I got earlier this is a bug solved in version 9.16.30) I've been told to upgrade to version 9.18 and I'm setting a test server to do this. In the meantime, if there is a way to avoid the keys to be rewritten every time I reconfigure and reload, I would stick with this version. Regards David -----Original Message----- From: Evan Hunt <e...@isc.org> Sent: 13 April 2023 18:08 To: David Carvalho <da...@di.ubi.pt> Cc: bind-users@lists.isc.org Subject: Re: dnssec-validation? On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > Problem number 1: Dnssec seems to be running on "di.ubi.pt", but > dnssec-validation still needs to be set to no; Will this cause troubles? > Dns2 is set to auto and runs fine. >From here, di.ubt.pt appears to be properly signed and everything's >working from here. Turning off validation won't have any affect on that. Your only problem is with local recursive service. > Problem number 2: How can I avoid the key regeneration (using version > 9.16.23) every named restart? I'm not certain what you mean by key regeneration. Taking a stab in the dark: Check that the working directory for named is writable. If named can't write files, then it can't save trust anchor status across restarts and it has to reinitialize each time. If that doesn't turn out to be the problem, then can show me the relevant lines from your log file so I can see what you're referring to by "key regeneration"? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
