On Tue, Oct 08, 2013 at 09:42:10AM +1100, Mark Andrews wrote: > >In message <52528314.4010...@z74.net>, Maurice Janssen writes: >> The problem is that after some time Bind seems to loose track of the >> keys for most of the zones. >> At this moment, only one of the zones is OK: >> >> # rndc signing -list z74.nl >> Done signing with key 16845/RSASHA256 >> Done signing with key 37936/RSASHA256 >> >> All other zones report: >> >> # rndc signing -list z74.net >> No signing records found > >The "signing" records show the progress of the initial signing of >the zone. The only reason they are not removed automatically is >so that the operator can know when the zone is fully signed to start >the timer for adding DS records to the parent zone. Named uses >incremential signing which can take some time with really large >zones. With small zones it takes seconds. > >These records are not required for named to continue to sign the >zone. Named uses the RRSIG records combined with sig-validity-interval >to workout what needs to be re-signed and when. It uses the DNSKEY >records in the zone to look for the private keys. > >As for why they are disappearing, I suspect that we are just failing >to preserve them at some point which is a minor bug that needs to >be addressed. As long as the zone has completed signing there >removal shouldn't cause problems.
OK, so it's mainly a cosmetic annoyance and will not affect resigning the RRsets in the zone. That's good to know, thanks. Maurice Janssen _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
