Hi Benoit, I'm a little late to the party on this discussion, but I wrote the following article a few years ago which explains how to setup DNSSEC ,including zone signing, on BIND 9.19:
https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/ I haven't revalidated this against BIND 9.20 but it might help you work out what's going on in your setup. It also explains where the key files are stored. Best, Richard. ________________________________ From: bind-users <[email protected]> on behalf of Benoît Panizzon <[email protected]> Sent: 17 April 2026 13:04 To: Peter Davies <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries. Hi Peter > Run from the primary what do the following commands return > dig @127.0.0.1 example.com +dnssec > dig @127.0.0.1 example.com soa +dnssec No dnssec related entries. I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and probably got confused by the statement, that only adding: dnssec-policy default; Would get a unsigned zone signed. Hey wait! No dnssec-keygen to create the keys? The default policy specifies what kind of keys to use etc. So maybe I got too far and created keys which were not necessary? Would they be created on the fly by what is specified in the policy? So I went ahead, started over and deleted the keys I had manually created with dnssec-keygen for that zone in /etc/bind/keys which worked for dynamic updates. froze / sync -clean zonefile, delete .signed files. Incremented serial in the plain unsigned file. rndc reconfig rndc thaw zone (unsigned): loaded serial 2007126014 (signed): could not get zone keys for secure dynamic update (signed): serial 2007126014 (unsigned 2007126014) (signed): sending notifies (serial 2007126014) Oh well, it needs the key files - at least for dynamic updates to work. But why is it telling (signed)? Were the keys autocreated? Where? Can't find them in /etc/bind/keys nor in the debian /var/cache/bind directory where the zonefiles reside. rndc signing -list still states "No signing records found" I guess I'm missing some small crucial detail. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
