Hi Gilles, You've identified a corner-case bug - the logic is incorrect in the case where the ACL holds "none" instead of being empty.
There's no compile-time option - but we are treating what you've reported to us as a bug (RT #23120). It is currently under investigation/discussion. Many thanks for bringing this to our attention. Cathy On 07/02/11 07:29, Gilles Massen wrote: > Mark, > > On 02/06/2011 10:41 PM, Mark Andrews wrote: >> Mark Andrews writes: >>> >>>> >>>>> Does your configuration also have an "allow-update" setting >>>>> (other than "none") for it, maybe only for the instance that >>>>> is giving you trouble? In that case BIND will take it that you >>>>> want it to do resigning as the RRSIGs approach expiry. >>>> >>>> The only allow-update is in the options section, and none. >>> >>> Get rid of the allow-update and allow the default of no acl to work. >> >> The test that decides that the zone may need to be re-signed doesn't >> take the "none;" acl into account. Currently it is >> "if (acl != NULL || ssu != NULL)" and should become >> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)". > > Thanks, this works indeed. > > This raises a few questions, as I'd really like to understand bind's > behavior: > > - is there any description of exactly how/when Bind assumes signing > authority over a zone? Or simply where some kind of zone-manipulating > intelligence kicks in? > > - is it possible to disable this kind of intelligence (possibly at > compile time)? > > - if not: a config switch (or compile-time option) would really be > appreciated. The zone option "auto-dnssec off;" did not prevent bind > from trying to sign the zone. > > Best, > Gilles > > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
