我遇到了 BIND 9.9.11p1 的問題。我的配置是:
zone "example1.com" {
type master;
file "zones/example1.com";
allow-query { any; };
allow-transfer { 1.2.3.4; };
also-notify { 1.2.3.4; };
key-directory "keys/example1.com";
inline-signing yes;
auto-dnssec maintain;
};
第一次啟動時,BIND 正在簽署該區域。但是如果我更新區域檔案(並增加其序號)然後重新啟動 BIND,則該區域將不會重新簽署...日誌內容:
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (unsigned): loaded serial 2018021918
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): loaded serial 2018011925 (DNSSEC signed)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): receive_secure_serial: not exact
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): sending notifies (serial 2018011925)
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): reconfiguring zone keys
Feb 19 18:36:09 NSX named[65450]: zone example1.com/IN (signed): next key event: 19-Feb-2018 19:36:09.148
如您所看到的,雖然序號已更新,但區域並未重新簽名,且 BIND 正在為舊版本的區域提供服務。如果我在 BIND 重新啟動之前刪除 .jbk/.signed/.signed.jnl 文件,則該區域將重新簽名,但我不認為這就是我應該繼續的方式...