DNSSEC Bind-9.11 auto-manage and inline-update

Question

I am trying to understand how Bind manages DNSSEC zone key signatures without external intervention. Specifically what process (named?) detects that a zone signature is about to expire and what are the methods of detection and resigning.

Does named itself regularly poll all the zone keys and then spawns an update process? Are there settings beyond those listed below required to get auto-maintain to work? Does the update have to triggered by rndc or reloading named?

. . .
options {
  . . .
  dnssec-enable yes;
  key-directory "/usr/local/etc/namedb/master/";
  dnssec-validation auto;
. . .
}
. . .
zone example.com {
  type master;
  file "/usr/local/etc/namedb/master/example.com.hosts";
  key-directory "/usr/local/etc/namedb/master/";
  auto-dnssec maintain;
  inline-signing yes;
};

Relevant official guide: https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-signing — Håkan Lindqvist, Apr 11 '19 at 19:44

score 0 · Accepted Answer · answered Apr 18 '19 at 17:12

According to https://www.sidn.nl/a/dnssec/dnssec-signatures-in-bind-named the following is the current procedure:

If you use the 'auto-dnssec maintain' option, the key directory is checked every hour for changes to the key pairs. Depending on the meta-data in the key files, each key pair is assigned the status 'unpublished', 'published', 'active', 'expired' or 'withdrawn'. Thus, the published DNSKEY records are automatically kept up to date. In addition, the digital signatures (in the RRSIG records) can be reset where necessary. The effect of this option is therefore the same as the effect of including the 'rndc sign' command in a cron job, in combination with the 'auto-dnssec allow' option.

DNSSEC Bind-9.11 auto-manage and inline-update

1 Answers1