> On Mon, Feb 22, 2016 at 10:52:25AM -0500, Thomas Schulz wrote: > > rndc signing -list adi.com in external > > > > I get 'No signing records found' > > > > Note that we use views and view external is what the world sees. I expected > > that the rndc signing command would show that the zone is signed. > > When a zone is being signed by named, it stores temporary records at the > zone apex (RR type TYPE65534) to indicate the current state of the > signing process, so that if there's a power failure in the middle, named > will be able to resume. Those are the "signing records" referred to here. > > At the end of the process there's a record left behind for each DNSKEY, > indicating that signing is complete for that key. At that point you can > use "rndc signing -clear" to remove them if you want to (though personally > I just leave them). > > Since those records aren't there now, I would guess you either already > cleared them at some point, or else some other signing mechanism was > used such as dnssec-signzone instead of the automatic signing in named. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc.
We are using automatic signing with the following in named.conf zone "adi.com" { type master; file "adi.com.hosts.ext"; inline-signing yes; key-directory "dnssec"; auto-dnssec maintain; }; I don't think that I have ever done a clear, but named has been restarted since the signing was done. The signing was done over a year ago. Tom Schulz Applied Dynamics Intl. sch...@adi.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users