Evan, Thanks for outlining this - it's much clearer now.
BIND will try to maintain the signatures in a zone if the zone is configured to be dynamic--i.e, if it has an update-policy or allow-update option. It won't create signatures where there were none, but it will try to keep existing RRSIGs up to date for you.
Not that I would need it, but doesn't this prevent someone from dynamically updating (including signatures) a signed zone?
The "auto-dnssec" option relates to automated changes based on timing metadata stored with the key. For example, you can schedule a key to be published on a certain date, and named will insert the DNSKEY record into the zone at the right time; or, you can schedule a key to become active, and named will start signing with it. But routine RRSIG maintenance happens in *any* dynamic zone, with or without "auto-dnssec". Having RRSIGs disappear from a zone when there's no private key available for re-signing is probably a problem (at least, it would seem to violate the principle of least astonishment). I'll look into that.
I'd see this as a symptom: I would really prefer if this kind of magic only kicked in if explicitly enabled. Or, if that's not possibly for usability reason, have a config switch like "don't touch my data - ever".
Best, Gilles -- Fondation RESTENA _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
