Mark, On 02/06/2011 10:41 PM, Mark Andrews wrote: > Mark Andrews writes: >> >>> >>>> Does your configuration also have an "allow-update" setting >>>> (other than "none") for it, maybe only for the instance that >>>> is giving you trouble? In that case BIND will take it that you >>>> want it to do resigning as the RRSIGs approach expiry. >>> >>> The only allow-update is in the options section, and none. >> >> Get rid of the allow-update and allow the default of no acl to work. > > The test that decides that the zone may need to be re-signed doesn't > take the "none;" acl into account. Currently it is > "if (acl != NULL || ssu != NULL)" and should become > "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
Thanks, this works indeed. This raises a few questions, as I'd really like to understand bind's behavior: - is there any description of exactly how/when Bind assumes signing authority over a zone? Or simply where some kind of zone-manipulating intelligence kicks in? - is it possible to disable this kind of intelligence (possibly at compile time)? - if not: a config switch (or compile-time option) would really be appreciated. The zone option "auto-dnssec off;" did not prevent bind from trying to sign the zone. Best, Gilles -- Fondation RESTENA - DNS-LU _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users