Hi Gilles,
You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds none instead of being empty.
There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120). It is currently under
investigation/discussion.
Many thanks
Thanks, this works indeed.
This raises a few questions, as I'd really like to understand bind's
behavior:
- is there any description of exactly how/when Bind assumes signing
authority over a zone? Or simply where some kind of zone-manipulating
intelligence kicks in?
- is it possible
Evan,
Thanks for outlining this - it's much clearer now.
BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option. It won't create signatures where there were none, but it will try
to keep existing
BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option. It won't create signatures where there were none, but it will try
to keep existing RRSIGs up to date for you.
Not that I would need it, but
Hello,
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and pushed
to Bind 9.7.2-P3 by scp was working fine. But now, completely out of the
blue, Bind decides to claim some authority over the zone: the SOA RRSIG
(only that one) is scrapped, and this is logged:
06-Feb-2011
Chris,
thanks for the hint, but:
On 6/2/11 19:20 , Chris Thompson wrote:
On Feb 6 2011, Gilles Massen wrote:
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
out of the blue, Bind decides to claim some
In message 4d4ef872.6070...@restena.lu, Gilles Massen writes:
Chris,
thanks for the hint, but:
On 6/2/11 19:20 , Chris Thompson wrote:
On Feb 6 2011, Gilles Massen wrote:
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
pushed to Bind 9.7.2-P3 by scp was working
Mark,
On 02/06/2011 10:41 PM, Mark Andrews wrote:
Mark Andrews writes:
Does your configuration also have an allow-update setting
(other than none) for it, maybe only for the instance that
is giving you trouble? In that case BIND will take it that you
want it to do resigning as the RRSIGs
8 matches
Mail list logo
