Leonardo Oliveira Ortiz <[hidden email]> wrote:
> Im configuring DNSSec with nsec3, when i run the first rndc signing
> -list I can check the keys, but when I restart named service this
> command shows nothing... This is a problem?
No, it's benign.
When `named` is signing a zone it puts a couple of extra records at the
zone apex to record its progress. The decoded content of these records is
shown by `rndc signing -list`.
When signing is complete, the special records can be removed, so `rndc
signing -list` will show nothing. That's what `rndc signing -clear` does.
My biggest signed zone is less than 50k records unsigned, and at that size
signing still happens fast enough that I haven't ever managed to catch
`rndc signing -list` while it is in progress :-) Perhaps it's more useful
for NSEC3 with a nonzero hash iteration count...
f.anthony.n.finch <[hidden email]> http://dotat.at/ St Davids Head to Great Orme Head, including St Georges Channel: Westerly 3 or
4, backing southerly or southeasterly, 4 or 5, occasionally 6 later. Slight or
moderate. Occasional drizzle later. Good, occasionally moderate later.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list