Salut,
On Sun, Aug 09, 2009 at 11:41:15AM -0400, Perry E. Metzger wrote:
> And why would it "have" to signal people to reload a zone that hadn't
> changed?
>
> You have to sign zone files when they change or when a signature
> expires. You don't have to do it at boot time. You don't even have to do
> it on the same machine that is serving the zones. I suggest reading the
> manual.
Modern nameds handle such activity on their own if told to, and that
is a legitimate thing to ask. If your system now comes up with a time
that is outside the usual 30-day timeframe of a DNSSEC signature, which
is also legitimate, named will re-sign the zone with an invalid
timestamp, rendering it non-working.
The right change is really to split named into a recursor and an
authoritative name server, or to use lwresd as proposed. Your change
should be reverted as it is very harmful and doesn't help in a sane
setup.
Tonnerre
Attachment:
pgpwhNdwtEJdt.pgp
Description: PGP signature