我遇到了 BIND 9.9.11p1 的问题。我的配置是:
zone "example1.com" {
type master;
file "zones/example1.com";
allow-query { any; };
allow-transfer { 1.2.3.4; };
also-notify { 1.2.3.4; };
key-directory "keys/example1.com";
inline-signing yes;
auto-dnssec maintain;
};
首次启动时,BIND 正在对区域进行签名。但是,如果我更新区域文件(并增加其序列号),然后重新启动 BIND,则不会重新签名该区域...日志内容:
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (unsigned): loaded serial 2018021918
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): loaded serial 2018011925 (DNSSEC signed)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): receive_secure_serial: not exact
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): sending notifies (serial 2018011925)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): reconfiguring zone keys
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): next key event: 19-Feb-2018 19:36:09.148
如您所见,尽管序列号已更新,但区域尚未重新签名,BIND 正在提供旧版本的区域。如果我在 BIND 重新启动之前删除 .jbk/.signed/.signed.jnl 文件,则区域将重新签名,但我认为这不是我应该继续的方式...