Your message dated Tue, 19 May 2026 05:40:00 +0300
with message-id <[email protected]>
and subject line fixed
has caused the Debian Bug report #1049385,
regarding bind9 stopped signing zones with dnssec-policy
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1049385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049385
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9
Version: 1:9.18.16-1
Severity: normal
I started migrating our zones from auto-dnssec to dnssec-policy earlier
this year, and for months it seemed that everything was working fine.
However, tonight the first zones migrated started giving SERVFAIL and
after I removed their .jnl .jbk and .signed files, bind9 is no longer
signing them. It creates the files, but the .signed zone is identical to
the source file.
My policy is:
dnssec-policy "trex-policy" {
keys {
ksk lifetime unlimited algorithm ECDSAP256SHA256;
zsk lifetime P20W algorithm ECDSAP256SHA256;
};
publish-safety PT1H;
retire-safety P2W;
purge-keys P1Y;
};
Extracts from logs for one affected zone look normal:
15-Aug-2023 03:02:50.943 dnssec: info: zone 193.140.195.in-addr.arpa/IN
(signed): reconfiguring zone keys
15-Aug-2023 03:02:50.963 dnssec: info: Fetching
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) from key repository.
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) is now published
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) is now active
15-Aug-2023 03:02:50.963 dnssec: info: Fetching
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) from key repository.
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) is now published
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) is now active
15-Aug-2023 03:02:50.967 dnssec: info: Removing expired key
193.140.195.in-addr.arpa/22412/ECDSAP256SHA256 from DNSKEY RRset.
15-Aug-2023 03:02:50.967 dnssec: info: DNSKEY
193.140.195.in-addr.arpa/ECDSAP256SHA256/22412 (ZSK) is now deleted
However .signed.jnl of the above zone shows nothing was done:
zsh% named-journalprint 193.140.195.in-addr.arpa.signed.jnl
Source serial = 2023080600
del 193.140.195.in-addr.arpa. 86400 IN SOA ns.trex.fi.
hostmaster.trex.fi. 2023060600 10800 3600 1300000 90000
add 193.140.195.in-addr.arpa. 86400 IN SOA ns.trex.fi.
hostmaster.trex.fi. 2023080600 10800 3600 1300000 80000
zsh%
For most zones, it doesn't even create that journal.
Config for the above zone:
zone "193.140.195.in-addr.arpa" {
type master;
file "/etc/bind/193.140.195.in-addr.arpa";
allow-transfer { ok-transfers; };
also-notify { hidden-anycasts; };
key-directory "/etc/bind/keys";
dnssec-policy "trex-policy";
inline-signing yes;
max-journal-size 1M;
};
I've tried rndc sign/reload and restarting bind9 and resetting the
signature files countless times. I turned dnssec logging severity to
debug 3, but comparing the logs for the problem zones with a zone that
still works doesn't show anything different. The zone that still works
was migrated later.
I'm getting nowhere... (Well at least it's not giving SERVFAIL for the
zones anymore.)
Is there some way I could manually sign the zone to buy some time? In a
way that doesn't adversely interfere with the inline signing...
--
Aleksi Suhonen
--- End Message ---
--- Begin Message ---
Hi,
Upstream has fixed this a long time ago. I guess this issue can be
closed now.
Thanks,
--
Aleksi Suhonen
() ascii ribbon campaign
/\ support plain text e-mail
--- End Message ---
