dnssec - rndc list

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

dnssec - rndc list

Leonardo Oliveira Ortiz

Hello.

I have a setup with bind 9.9 in chroot, dnssec and inline-sign now.

 

Im configuring DNSSec with nsec3, when i run the first rndc signing –list I can check the keys, but when I restart named service this command shows nothing…

This is a problem? Tried load the keys again with rndc loadkeys but still cant check nothing in --list

 

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec - rndc list

Tony Finch
Leonardo Oliveira Ortiz <[hidden email]> wrote:
>
> Im configuring DNSSec with nsec3, when i run the first rndc signing
> -list I can check the keys, but when I restart named service this
> command shows nothing... This is a problem?

No, it's benign.

When `named` is signing a zone it puts a couple of extra records at the
zone apex to record its progress. The decoded content of these records is
shown by `rndc signing -list`.

When signing is complete, the special records can be removed, so `rndc
signing -list` will show nothing. That's what `rndc signing -clear` does.

My biggest signed zone is less than 50k records unsigned, and at that size
signing still happens fast enough that I haven't ever managed to catch
`rndc signing -list` while it is in progress :-) Perhaps it's more useful
for NSEC3 with a nonzero hash iteration count...

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
St Davids Head to Great Orme Head, including St Georges Channel: Westerly 3 or
4, backing southerly or southeasterly, 4 or 5, occasionally 6 later. Slight or
moderate. Occasional drizzle later. Good, occasionally moderate later.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users