Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
It is always DNS, except when it is permissions... Have a great weekend everyone, -- Ondřej Surý (He/Him) [email protected] ADHD brain at work: I sometimes lose track of my inbox. Please feel free to send a gentle nudge if you're waiting on a reply! My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 17. 4. 2026, at 15:51, Benoît Panizzon wrote: > > 17-Apr-2026 15:44:45.348 dnssec: debug 3: keymgr: > 0-31.57.161.157.in-addr.arpa done > 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN > (signed): zone_rekey:dns_keymgr_run failed: error occurred writing key to disk > 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN > (signed): zone_rekey failure: error occurred writing key to disk (retry in > 600 seconds) > > Ok - permissions! > > Wow, how could I miss /etc/bind/keys belonging to root:bind with group > permissions s-x > > Keyfiles present. > > name: 0-31.57.161.157.in-addr.arpa > type: primary > files: woody.ch.rev > serial: 2007126016 > signed serial: 2007126025 > nodes: 31 > last loaded: Fri, 17 Apr 2026 09:04:20 GMT > secure: yes > inline signing: yes > key maintenance: automatic > next key event: Fri, 17 Apr 2026 15:52:43 GMT > next resign node: 20.0-31.57.161.157.in-addr.arpa/NSEC > next resign time: Sun, 26 Apr 2026 04:20:25 GMT > dynamic: yes > frozen: no > reconfigurable via modzone: no > > secondary has loaded signed enries. > > Thanks for your help and sorry that I missed something that obvious. > > -- > Mit freundlichen Grüssen > > -Benoît Panizzon- @ HomeOffice und normal erreichbar > -- > I m p r o W a r e A G-Leiter Commerce Kunden > __ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 PrattelnFax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > __ > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Benoît. Super, mystery solved. Thanks for sharing this with us. /Peter On 17/04/2026 15.51, Benoît Panizzon wrote: 17-Apr-2026 15:44:45.348 dnssec: debug 3: keymgr: 0-31.57.161.157.in-addr.arpa done 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey:dns_keymgr_run failed: error occurred writing key to disk 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey failure: error occurred writing key to disk (retry in 600 seconds) Ok - permissions! Wow, how could I miss /etc/bind/keys belonging to root:bind with group permissions s-x Keyfiles present. name: 0-31.57.161.157.in-addr.arpa type: primary files: woody.ch.rev serial: 2007126016 signed serial: 2007126025 nodes: 31 last loaded: Fri, 17 Apr 2026 09:04:20 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Fri, 17 Apr 2026 15:52:43 GMT next resign node: 20.0-31.57.161.157.in-addr.arpa/NSEC next resign time: Sun, 26 Apr 2026 04:20:25 GMT dynamic: yes frozen: no reconfigurable via modzone: no secondary has loaded signed enries. Thanks for your help and sorry that I missed something that obvious. -- Peter Davies Support Engineer Internet Systems Corporation [email protected] 001 650-423-1460 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Benoit, Well that's great news - well done for working that out. Very pleased to hear you've finally been able to get it working. Best, Richard. From: bind-users on behalf of Benoît Panizzon Sent: 17 April 2026 14:51 To: Peter Davies Cc: [email protected] Subject: Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries. 17-Apr-2026 15:44:45.348 dnssec: debug 3: keymgr: 0-31.57.161.157.in-addr.arpa done 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey:dns_keymgr_run failed: error occurred writing key to disk 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey failure: error occurred writing key to disk (retry in 600 seconds) Ok - permissions! Wow, how could I miss /etc/bind/keys belonging to root:bind with group permissions s-x Keyfiles present. name: 0-31.57.161.157.in-addr.arpa type: primary files: woody.ch.rev serial: 2007126016 signed serial: 2007126025 nodes: 31 last loaded: Fri, 17 Apr 2026 09:04:20 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Fri, 17 Apr 2026 15:52:43 GMT next resign node: 20.0-31.57.161.157.in-addr.arpa/NSEC next resign time: Sun, 26 Apr 2026 04:20:25 GMT dynamic: yes frozen: no reconfigurable via modzone: no secondary has loaded signed enries. Thanks for your help and sorry that I missed something that obvious. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
17-Apr-2026 15:44:45.348 dnssec: debug 3: keymgr: 0-31.57.161.157.in-addr.arpa done 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey:dns_keymgr_run failed: error occurred writing key to disk 17-Apr-2026 15:44:45.348 dnssec: error: zone 0-31.57.161.157.in-addr.arpa/IN (signed): zone_rekey failure: error occurred writing key to disk (retry in 600 seconds) Ok - permissions! Wow, how could I miss /etc/bind/keys belonging to root:bind with group permissions s-x Keyfiles present. name: 0-31.57.161.157.in-addr.arpa type: primary files: woody.ch.rev serial: 2007126016 signed serial: 2007126025 nodes: 31 last loaded: Fri, 17 Apr 2026 09:04:20 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Fri, 17 Apr 2026 15:52:43 GMT next resign node: 20.0-31.57.161.157.in-addr.arpa/NSEC next resign time: Sun, 26 Apr 2026 04:20:25 GMT dynamic: yes frozen: no reconfigurable via modzone: no secondary has loaded signed enries. Thanks for your help and sorry that I missed something that obvious. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Peter I'll crank up logging just after this email. > The rndc commands to check the status of a signed zone are: > rndc dnssec -status example.com > rndc zonestatus example.com # rndc dnssec -status 0-31.57.161.157.in-addr.arpa dnssec-policy: default current time: Fri Apr 17 15:36:24 2026 # rndc zonestatus 0-31.57.161.157.in-addr.arpa name: 0-31.57.161.157.in-addr.arpa type: primary files: woody.ch.rev serial: 2007126016 signed serial: 2007126016 nodes: 31 last loaded: Fri, 17 Apr 2026 09:04:20 GMT secure: no key maintenance: automatic next key event: Fri, 17 Apr 2026 13:40:44 GMT dynamic: yes frozen: no reconfigurable via modzone: no I suppose secure: no is not what it should be. key maintenance: automatic next key event: Fri, 17 Apr 2026 13:40:44 GMT If I am not mistaking, this is in about 1 minute. Is there a delay until the zone is being signed? Was I not patient enough? # date -u Fr 17 Apr 2026 13:41:38 UTC # rndc signing -list 0-31.57.161.157.in-addr.arpa No signing records found # rndc zonestatus 0-31.57.161.157.in-addr.arpa name: 0-31.57.161.157.in-addr.arpa type: primary files: woody.ch.rev serial: 2007126016 signed serial: 2007126016 nodes: 31 last loaded: Fri, 17 Apr 2026 09:04:20 GMT secure: no key maintenance: automatic next key event: Fri, 17 Apr 2026 13:50:44 GMT dynamic: yes frozen: no reconfigurable via modzone: no Still no joy - cranking up logging. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Richard & all
> I'm a little late to the party on this discussion, but I wrote the
> following article a few years ago which explains how to setup DNSSEC
> ,including zone signing, on BIND 9.19:
>
> https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/
>
> I haven't revalidated this against BIND 9.20 but it might help you
> work out what's going on in your setup. It also explains where the
> key files are stored.
Thank you, very appreciated. I just read your instructions.
Just to be sure, when using inline signing, I don't need to create keys
for the zone, those should be automatically created, right?
This still does not happen. I possible cuplit after reading your guide:
apparmor! aa-teardown, retrying.
Still no joy!
Well let's disclose the actual zone, nothing that sensitive there after
all :-)
Apr 17 15:18:09 magma named[2264557]: received control channel command 'thaw
0-31.57.161.157.in-addr.arpa'
Apr 17 15:18:09 magma named[2264557]: thawing zone
'0-31.57.161.157.in-addr.arpa/IN': success
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN
(unsigned): loaded serial 2007126016
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN
(signed): could not get zone keys for secure dynamic update
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN
(signed): serial 2007126016 (unsigned 2007126016)
Apr 17 15:18:09 magma named[2264557]: zone 0-31.57.161.157.in-addr.arpa/IN
(signed): sending notifies (serial 2007126016)
options {
...
directory "/var/cache/bind";
key-directory "/etc/bind/keys";
...
}
zone "0-31.57.161.157.in-addr.arpa" {
type master;
file "woody.ch.rev";
allow-update {
key woody-update;
};
allow-transfer { secondaries; };
dnssec-policy default;
};
-rw-r--r-- 1 bind bind 2029 17. Apr 15:18 /var/cache/bind/woody.ch.rev
-rw-r--r-- 1 bind bind 712 17. Apr 15:18 /var/cache/bind/woody.ch.rev.jnl
-rw-r--r-- 1 bind bind 2674 17. Apr 15:17 /var/cache/bind/woody.ch.rev.signed
-rw-r--r-- 1 bind bind 712 17. Apr 15:18
/var/cache/bind/woody.ch.rev.signed.jnl
# rndc signing -list 0-31.57.161.157.in-addr.arpa
No signing records found
So... it looks like the signed files are being created.
But, even after tearing down AA I can't find autogenerated key files,
neither in /etc/bind/keys not in /var/cache/bind which could be used
for dynamic updates or to generate the upstream DS records from.
Sidenote: I am aware, that the trust chain is broken because
161.157.in-addr.arpa is not (yet) signed, a zone with hundreds of
include files. But this exercise is the start of it. If inline signing
works as I expect, we could finally just enable signing and not have to
try to find a way to actually manually signing that hell of a zone.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Benoît,
If you are using the “default” dnssec-policy and there are no keys,
BIND will
attempt to create them automatically if it can.
You should see the private, key, and stat files that look something like
this in
the key-directory:
Kexample.com.+013+?.key
Kexample.com.+013+?.private
Kexample.com.+013+?.state
With dnssec logging configured with severity "info" you should see
something
similar to:
17-Apr-2026 12:53:38.469 dnssec: info: zone example.com/IN (signed):
reconfiguring zone keys
17-Apr-2026 12:53:38.470 dnssec: info: keymgr: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) created for policy default
17-Apr-2026 12:53:38.471 dnssec: info: Fetching
example.com/ECDSAP256SHA256/23930 (CSK) from key repository.
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) is now published
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) is now active
17-Apr-2026 12:53:38.572 dnssec: info: zone example.com/IN (signed):
next key event: 17-Apr-2026 14:58:38.469
The rndc commands to check the status of a signed zone are:
rndc dnssec -status example.com
rndc zonestatus example.com
/Peter
On 17/04/2026 11.37, Benoît Panizzon wrote:
Hi Bind gang!
After upgrading to 9.20 I disabled default inline singing to get my
stuff working again.
Now I decided having a shot at inline signing but despite trying to
follow different guides I always get stuck at the same place.
I have an unsigned zone file, keys with correct permissions etc.
zone "example.com" {
type master;
file "example.com";
allow-update {
key update-key;
};
allow-transfer { secondaries; };
dnssec-policy default;
key-directory "/etc/bind/keys";
};
When I issue rndc reconfig after this, I see those lines in the log,
which to me, look good...
(unsigned): loaded serial 2007126012
(signed): serial 2007126013 (unsigned 2007126012)
(signed): sending notifies (serial 2007126013)
example.com.signed
example.com.signed.jnl
were created.
But when I check he zone on the secondaries, it's not signed. Same when
I get the zone by doing a AXFR from the primary - no RRSIG entries.
When I issue rndc signing -list example.com I get
No signing records found
according to the examples, I should get 'done signing'.
I tried: rndc sign example.com to force sign the zone. Nothing changes.
When I add an entry with nsupdate then that one entry is signed and the
SOA also is getting signed as the serial incremented.
What could I be missing?
--
Peter Davies
Support Engineer
Internet Systems Corporation
[email protected]
001 650-423-1460
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Benoit, I'm a little late to the party on this discussion, but I wrote the following article a few years ago which explains how to setup DNSSEC ,including zone signing, on BIND 9.19: https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/ I haven't revalidated this against BIND 9.20 but it might help you work out what's going on in your setup. It also explains where the key files are stored. Best, Richard. From: bind-users on behalf of Benoît Panizzon Sent: 17 April 2026 13:04 To: Peter Davies Cc: [email protected] Subject: Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries. Hi Peter >Run from the primary what do the following commands return > dig @127.0.0.1 example.com +dnssec > dig @127.0.0.1 example.com soa +dnssec No dnssec related entries. I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and probably got confused by the statement, that only adding: dnssec-policy default; Would get a unsigned zone signed. Hey wait! No dnssec-keygen to create the keys? The default policy specifies what kind of keys to use etc. So maybe I got too far and created keys which were not necessary? Would they be created on the fly by what is specified in the policy? So I went ahead, started over and deleted the keys I had manually created with dnssec-keygen for that zone in /etc/bind/keys which worked for dynamic updates. froze / sync -clean zonefile, delete .signed files. Incremented serial in the plain unsigned file. rndc reconfig rndc thaw zone (unsigned): loaded serial 2007126014 (signed): could not get zone keys for secure dynamic update (signed): serial 2007126014 (unsigned 2007126014) (signed): sending notifies (serial 2007126014) Oh well, it needs the key files - at least for dynamic updates to work. But why is it telling (signed)? Were the keys autocreated? Where? Can't find them in /etc/bind/keys nor in the debian /var/cache/bind directory where the zonefiles reside. rndc signing -list still states "No signing records found" I guess I'm missing some small crucial detail. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Peter > Run from the primary what do the following commands return > dig @127.0.0.1 example.com +dnssec > dig @127.0.0.1 example.com soa +dnssec No dnssec related entries. I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and probably got confused by the statement, that only adding: dnssec-policy default; Would get a unsigned zone signed. Hey wait! No dnssec-keygen to create the keys? The default policy specifies what kind of keys to use etc. So maybe I got too far and created keys which were not necessary? Would they be created on the fly by what is specified in the policy? So I went ahead, started over and deleted the keys I had manually created with dnssec-keygen for that zone in /etc/bind/keys which worked for dynamic updates. froze / sync -clean zonefile, delete .signed files. Incremented serial in the plain unsigned file. rndc reconfig rndc thaw zone (unsigned): loaded serial 2007126014 (signed): could not get zone keys for secure dynamic update (signed): serial 2007126014 (unsigned 2007126014) (signed): sending notifies (serial 2007126014) Oh well, it needs the key files - at least for dynamic updates to work. But why is it telling (signed)? Were the keys autocreated? Where? Can't find them in /etc/bind/keys nor in the debian /var/cache/bind directory where the zonefiles reside. rndc signing -list still states "No signing records found" I guess I'm missing some small crucial detail. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
Re: Bind 9.20 inline signing - not signing whole file, only dynamic updated entries.
Hi Benoît,
Run from the primary what do the following commands return
dig @127.0.0.1 example.com +dnssec
dig @127.0.0.1 example.com soa +dnssec
/Peter
On 17/04/2026 11.37, Benoît Panizzon wrote:
Hi Bind gang!
After upgrading to 9.20 I disabled default inline singing to get my
stuff working again.
Now I decided having a shot at inline signing but despite trying to
follow different guides I always get stuck at the same place.
I have an unsigned zone file, keys with correct permissions etc.
zone "example.com" {
type master;
file "example.com";
allow-update {
key update-key;
};
allow-transfer { secondaries; };
dnssec-policy default;
key-directory "/etc/bind/keys";
};
When I issue rndc reconfig after this, I see those lines in the log,
which to me, look good...
(unsigned): loaded serial 2007126012
(signed): serial 2007126013 (unsigned 2007126012)
(signed): sending notifies (serial 2007126013)
example.com.signed
example.com.signed.jnl
were created.
But when I check he zone on the secondaries, it's not signed. Same when
I get the zone by doing a AXFR from the primary - no RRSIG entries.
When I issue rndc signing -list example.com I get
No signing records found
according to the examples, I should get 'done signing'.
I tried: rndc sign example.com to force sign the zone. Nothing changes.
When I add an entry with nsupdate then that one entry is signed and the
SOA also is getting signed as the serial incremented.
What could I be missing?
--
Peter Davies
Support Engineer
Internet Systems Corporation
[email protected]
001 650-423-1460
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
