On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote:
I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure allow-update or update-policy. I even add "allow-update {none;}; // no DDNS by default" in the zone block of the problematic view. Is there any chances this configuration comes from other config file or named build options?
Are you using DNSSEC with this zone? Your config extract doesn't show it, but what you described sounds like BIND might be resigning the zone file and writing the new signed zone over top of the original file? If so, the solution is to use inline-signing: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
Note that there have been many improvements in BIND's support for DNSSEC over the last few years, so if this is a server that you've inherited, it is probably worth reviewing the DNSSEC configuration options to see if it can be improved?
Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
