Hi Peter .. How do you know your DNSSEC is working to begin with?
Here is a URL that I prefer to use that will help answer that question: https://dnsviz.net/ What you are looking for is your to zone to be “secure”. Since you are an experienced BIND admin .. any clues to be found in the logs? grep for “unsigned”. One option that appears to be missing from your conf file is: zone "supercoolzonehere.com" IN { inline-signing yes; }; Which would achieve the result that you described below wherein a record is added and “rndc reload” is executed. Good hunting. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Peter Fraser Sent: Sunday, May 09, 2021 8:49 PM To: bind-users@lists.isc.org Subject: Update DNSSEC Zone HI All, I really would appreciate a pointer in the right direction. I took over a bind server recently. I am not new to bind. I have used it many times and honestly prefer it to windows dns but I have never worked with DNSSEC. I have been reading all day and I still can’t figure out how to update the DNSSEC zone. Can anyone assist me please? I did see one site that said I could just put in regular A record entries and run rndc reload and that would resign the zone. I tried that but it didn’t work. I am using bind-9.14.x and here are the DNSSEC related entries in the zone. auto-dnssec maintain; update-policy local; key-directory “zones/domain-keys”; Best Regards, SI
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
