[dns-operations] non signing Bind & DNSSEC: a note of caution

Gilles Massen gilles.massen at restena.lu
Mon Feb 7 08:39:09 UTC 2011


A small word of caution to those of you that sign zones (e.g. with
OpenDNSSEC) and push the signed zones to Bind for distribution:

If you have configured "allow-update {none;};" and are approaching the
the end of signature lifetime (by a few days(!)), Bind tries to take
over signing. Obviously it doesn't have access to the keys, but that
does not stop it from stripping a couple of RRSIGs and serving the
remaining zone. Removing the 'allow-update' statement fixes the issue.

I have verified the behavior for the latest 9.7.2, 9.7.3rc1, 9.6.3.

See also:



Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the dns-operations mailing list