hi, I did not use or configure DNSSEC or Dynamic DNS, I have also disabled DNSSEC via `dnssec-validation no;`, I also tried to use `dnssec-enable no;` and `dnssec-lookaside no;`, but these configuration is not exists anymore for the new bind 9.18.20 I updated.
I also checked if I am using DNSSEC via `dnssec-checkds`. [root@pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet ynu.edu.cn dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in /etc/named.data/db.ynu.edu.cn.intranet No DNSKEY records found in zone apex [root@pridns ~]# echo $? 1 [root@pridns ~]# And not log in `dnssec_log` after I configured DNSSEC logging from https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bind-dnssec-debug-logging. Is it a problem of SOA serial number, after I updated this value, the zone file did not change anymore, but this zone does not load from `rndc dumpdb -all` output. # parts of /var/named/data/cache_dump.db ; Zone dump of 'ynu.edu.cn/IN/INTRANET' ; ; zone not loaded [root@pridns ~]# tail -f /var/log/named/dns-default.log|grep 113.55.127.140 19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe6f000da68 113.55.127.140#54309 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/A at query.c:5673 19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe70049a218 113.55.127.140#54310 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/AAAA at query.c:5673 19-Dec-2023 09:28:47.483 client: debug 1: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/A (CD=0) 19-Dec-2023 09:28:47.483 query-errors: info: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/A at query.c:7094 19-Dec-2023 09:28:47.484 client: debug 1: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/AAAA (CD=0) 19-Dec-2023 09:28:47.484 query-errors: info: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/AAAA at query.c:7094 [root@pridns ~]# However, this zone file /etc/named.data/db.ynu.edu.cn.intranet is almost the same as other zone file from different view. 2023-12-18 04:18:06 "Nick Tait via bind-users" <bind-users@lists.isc.org> 写道: > On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote: > > I found this zone file got updated in about 15 minutes when I made > > changes or restarted named, and this behavior seems match the docs > > bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can > > confirm I DO NOT configure allow-update or update-policy. I even add > > "allow-update {none;}; // no DDNS by default" in the zone block of the > > problematic view. Is there any chances this configuration comes from > > other config file or named build options? > > Are you using DNSSEC with this zone? Your config extract doesn't show > it, but what you described sounds like BIND might be resigning the zone > file and writing the new signed zone over top of the original file? If > so, the solution is to use inline-signing: > https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing > > Note that there have been many improvements in BIND's support for DNSSEC > over the last few years, so if this is a server that you've inherited, > it is probably worth reviewing the DNSSEC configuration options to see > if it can be improved? > > Nick. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
