[dns-operations] DS keys for child zones on same server & inline signing

Phil Pennock dnsop+phil at spodhuis.org
Fri Mar 15 04:27:58 UTC 2013

I turned on DNSSEC for various zones today; hit a snag in one case,
which I've resolved, but I'm not seeing why my recovery action was
necessary, so I'm posting to ask for enlightenment in the form of either
a clue stick smacking or a "yeah, bug" or whatever else.

Updated to bind 9.9, set a key-directory in named.conf's options{}
block, added "auto-dnssec maintain; inline-signing yes;" to the affected
zones.  Most things worked just fine.

The zone globnix.net has various child zones, so I signed to permit
insecure delegations before working through them:

  rndc signing -nsec3param 1 7 100 $(openssl rand -hex 8) globnix.net

I then started on the child zones.  Note, the child zones and the parent
are served out of the same instance of Bind.

I've now picked through most, just need to figure out if I dare try it
on test.globnix.net which has deliberately obnoxious records in it,
filled with NULs and so forth.  :)  I left that until last, so it can't
have affected the other child zones.

When I went to http://dnsviz.net/d/sks.pool.globnix.net/dnssec/ to
confirm the status of a delegation, it said I had an insecure
delegation, with the NSEC3 record proving the non-existence of the DS

My understanding is that DS records "belong" to the parent zone, above
the cut, so I'd added the DS records to globnix.net itself, and forced a
zone reload of the children and of that zone, which should trigger
automatic re-signing, per "auto-dnssec maintain".  I think.

Or is that part of my mistake?

I finally fixed it with re-running the rndc signing command (preserving
the previous salt ... I don't believe that's necessary, but shouldn't

  rndc signing -nsec3param 1 7 100 $salt_from_logs globnix.net

At this point, the dnsviz.net checker was now able to see the
delegation, and resolution via unbound now sets the AD flag on
results for keys.sks.pool.globnix.net, so everything appears to be

But why did I have to manually force a re-signing?  Is this a bug in
bind, or ignorance on my part, or something else?


More information about the dns-operations mailing list