2

I'm facing an issue with BIND 9.9.11p1. My configuration is:

zone "example1.com" {
  type master;
  file "zones/example1.com";
  allow-query { any; };
  allow-transfer {  1.2.3.4; };
  also-notify {  1.2.3.4; };
  key-directory "keys/example1.com";
  inline-signing yes;
  auto-dnssec maintain;
};

On first start, BIND is signing the zone. But if I update zone file (and increasing its serial) and then restarting BIND, the zone will not be re-signed... Logs contents:

Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (unsigned): loaded serial 2018021918
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): loaded serial 2018011925 (DNSSEC signed)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): receive_secure_serial: not exact
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): sending notifies (serial 2018011925)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): reconfiguring zone keys
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): next key event: 19-Feb-2018 19:36:09.148

As you can see, although serial has been updated, the zone is not re-signed, and BIND is serving old version of the zone. If I delete .jbk/.signed/.signed.jnl files prior to BIND restart, the zone is re-signed, but I don't think that's how I supposed to proceed...

Clément Moulin - SimpleRezo
  • 129
  • 9
  • 1
    Does the problem persist? With all zones on the server? Did you try with newer bind versions (9.12.0 has been recently released)? Does bind has correct (write) permissions in the directory where it stores the signed zonefile? Did you look at this extensive guide: https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf ? How did you restart `bind` ? Did you use `rndc reload` ? – Patrick Mevzek Mar 06 '18 at 03:41
  • OK, updating to Bind 9.12.0 seems to fix the issue. – Clément Moulin - SimpleRezo Mar 12 '18 at 18:34

0 Answers0