Hello and thank you for the reply.
Problem 1 - I'll have to investigate further.

As for problem 2 ... it's weird.
I was working on another thing and now I was checking permissions by your
suggestion, when I noticed the files have new timestamp from a while ago.
I compared the contents of the updated files with a previous backup and they
seem the same.

Tests such as https://dnssec-analyzer.verisignlabs.com/di.ubi.pt
also seem to be still fine. 

So, my conclusion is: 
Named changes the Kdi.ubi.pt** timestamps according to some criteria.

If I do a systemctl restart named-chroot or rdnc reload, the contents also
change (and according to a response I got earlier this is a bug solved in
version 9.16.30)
I've been told to upgrade to version 9.18 and I'm setting a test server to
do this. 
In the meantime, if there is a way to avoid the keys to be rewritten every
time I reconfigure and reload, I would stick with this version.


-----Original Message-----
From: Evan Hunt <e...@isc.org> 
Sent: 13 April 2023 18:08
To: David Carvalho <da...@di.ubi.pt>
Cc: bind-users@lists.isc.org
Subject: Re: dnssec-validation?

On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote:
> Problem number 1: Dnssec seems to be running on "di.ubi.pt", but 
> dnssec-validation still needs to be set to no; Will this cause troubles?
> Dns2 is set to auto and runs fine.

>From here, di.ubt.pt appears to be properly signed and everything's 
from here. Turning off validation won't have any affect on that. Your only
problem is with local recursive service.

> Problem number 2: How can I avoid the key regeneration (using version
> 9.16.23) every named restart?

I'm not certain what you mean by key regeneration.

Taking a stab in the dark: Check that the working directory for named is
writable. If named can't write files, then it can't save trust anchor status
across restarts and it has to reinitialize each time.

If that doesn't turn out to be the problem, then can show me the relevant
lines from your log file so I can see what you're referring to by "key

Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.

Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list

Reply via email to