[dns-operations] non signing Bind & DNSSEC: a note of caution
Gilles Massen
gilles.massen at restena.lu
Mon Feb 7 08:39:09 UTC 2011
Hello,
A small word of caution to those of you that sign zones (e.g. with
OpenDNSSEC) and push the signed zones to Bind for distribution:
If you have configured "allow-update {none;};" and are approaching the
the end of signature lifetime (by a few days(!)), Bind tries to take
over signing. Obviously it doesn't have access to the keys, but that
does not stop it from stripping a couple of RRSIGs and serving the
remaining zone. Removing the 'allow-update' statement fixes the issue.
I have verified the behavior for the latest 9.7.2, 9.7.3rc1, 9.6.3.
See also:
https://lists.isc.org/pipermail/bind-users/2011-February/082668.html
Best,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the dns-operations
mailing list