Hi Benoît,
If you are using the “default” dnssec-policy and there are no keys,
BIND will
attempt to create them automatically if it can.
You should see the private, key, and stat files that look something like
this in
the key-directory:
Kexample.com.+013+?????.key
Kexample.com.+013+?????.private
Kexample.com.+013+?????.state
With dnssec logging configured with severity "info" you should see
something
similar to:
17-Apr-2026 12:53:38.469 dnssec: info: zone example.com/IN (signed):
reconfiguring zone keys
17-Apr-2026 12:53:38.470 dnssec: info: keymgr: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) created for policy default
17-Apr-2026 12:53:38.471 dnssec: info: Fetching
example.com/ECDSAP256SHA256/23930 (CSK) from key repository.
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) is now published
17-Apr-2026 12:53:38.471 dnssec: info: DNSKEY
example.com/ECDSAP256SHA256/23930 (CSK) is now active
17-Apr-2026 12:53:38.572 dnssec: info: zone example.com/IN (signed):
next key event: 17-Apr-2026 14:58:38.469
The rndc commands to check the status of a signed zone are:
rndc dnssec -status example.com
rndc zonestatus example.com
/Peter
On 17/04/2026 11.37, Benoît Panizzon wrote:
Hi Bind gang!
After upgrading to 9.20 I disabled default inline singing to get my
stuff working again.
Now I decided having a shot at inline signing but despite trying to
follow different guides I always get stuck at the same place.
I have an unsigned zone file, keys with correct permissions etc.
zone "example.com" {
type master;
file "example.com";
allow-update {
key update-key;
};
allow-transfer { secondaries; };
dnssec-policy default;
key-directory "/etc/bind/keys";
};
When I issue rndc reconfig after this, I see those lines in the log,
which to me, look good...
(unsigned): loaded serial 2007126012
(signed): serial 2007126013 (unsigned 2007126012)
(signed): sending notifies (serial 2007126013)
example.com.signed
example.com.signed.jnl
were created.
But when I check he zone on the secondaries, it's not signed. Same when
I get the zone by doing a AXFR from the primary - no RRSIG entries.
When I issue rndc signing -list example.com I get
No signing records found
according to the examples, I should get 'done signing'.
I tried: rndc sign example.com to force sign the zone. Nothing changes.
When I add an entry with nsupdate then that one entry is signed and the
SOA also is getting signed as the serial incremented.
What could I be missing?
--
Peter Davies
Support Engineer
Internet Systems Corporation
[email protected]
001 650-423-1460
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
