Leonardo Oliveira Ortiz <leonardo.or...@marisolsa.com> wrote: > > Im configuring DNSSec with nsec3, when i run the first rndc signing > -list I can check the keys, but when I restart named service this > command shows nothing... This is a problem?
No, it's benign. When `named` is signing a zone it puts a couple of extra records at the zone apex to record its progress. The decoded content of these records is shown by `rndc signing -list`. When signing is complete, the special records can be removed, so `rndc signing -list` will show nothing. That's what `rndc signing -clear` does. My biggest signed zone is less than 50k records unsigned, and at that size signing still happens fast enough that I haven't ever managed to catch `rndc signing -list` while it is in progress :-) Perhaps it's more useful for NSEC3 with a nonzero hash iteration count... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ St Davids Head to Great Orme Head, including St Georges Channel: Westerly 3 or 4, backing southerly or southeasterly, 4 or 5, occasionally 6 later. Slight or moderate. Occasional drizzle later. Good, occasionally moderate later. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
