dnssec - rndc list

Tony Finch

2018-12-10 15:04:31 UTC

Post by Leonardo Oliveira Ortiz
Im configuring DNSSec with nsec3, when i run the first rndc signing
-list I can check the keys, but when I restart named service this
command shows nothing... This is a problem?

No, it's benign.

When `named` is signing a zone it puts a couple of extra records at the
zone apex to record its progress. The decoded content of these records is
shown by `rndc signing -list`.

When signing is complete, the special records can be removed, so `rndc
signing -list` will show nothing. That's what `rndc signing -clear` does.

My biggest signed zone is less than 50k records unsigned, and at that size
signing still happens fast enough that I haven't ever managed to catch
`rndc signing -list` while it is in progress :-) Perhaps it's more useful
for NSEC3 with a nonzero hash iteration count...

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
St Davids Head to Great Orme Head, including St Georges Channel: Westerly 3 or
4, backing southerly or southeasterly, 4 or 5, occasionally 6 later. Slight or
moderate. Occasional drizzle later. Good, occasionally moderate later.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users