Daniel Ryslink <daniel.rysl...@dialtelecom.cz> wrote: > > At first, when the zone was not signed at all, all that sufficed was to > do "rndc loadkeys example.com", and when I later used "rndc signing > -list example.com", the keys set via > dnssec-settime as active in the keys directory were displayed.
Note that `rndc signing -list` possibly does not do what you expect: it tells you about named's progress with incremental signing, which is possibly important for large zones, but for small ones it is so quick it's almost impossible to catch it while signing is in progress. It is a user interface for the TYPE65534 records that named uses to save this information. After a zone has been signed, there is no need for the TYPE65534 records and `rndc signing -list` does not have anything informative to say. What you probably want instead is `rndc zonestatus` except that feature was added in 9.10... > Now, the system reverted into a state where rndc signing -list > example.com states that no signing records were found. That is normal if you have run `rndc signing -clear`. > However, when I export the new zone file into master/example.com, it is > no longer signed automatically as before. Did you tell it to reload the zone? > Also. named.log for bind displays curiously frequent key events: > Why a key event every five minutes, when TTL of the records is 6 hours? Have you set dnssec-loadkeys-interval ? Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Irish Sea: Southeasterly backing northeasterly 5 or 6, occasionally 7 in north, decreasing 4 at times in south. Moderate in west, slight or moderate in east. Rain or showers. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
