From 16fed98e206919f34ce70409b432a61d676c97c1 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 11 Oct 2024 14:38:55 +0200 Subject: [PATCH] Add new behavior to the ARM Add text to the ARM that describes what we do in case key files have become unavailable. (cherry picked from commit 351c066d916b0ac79070ee0c8e9879d108dfb996) --- doc/arm/reference.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index c9fda58646..b6356343cc 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6418,6 +6418,14 @@ zone is generated even if they have the same policy. If multiple views are configured with different versions of the same zone, each separate version uses the same set of signing keys. +If the expected key files that were previously observed have gone missing or +are inaccessible, key management is halted. This will prevent rollovers +from being started if there is a temporary file access issue. If his problem +is permanent it will eventually lead to expired signatures in your zone. +Note that if the key files are missing or inaccessible during :iscman:`named` +startup, BIND 9 will try to generate new keys according to the DNSSEC policy, +because it has no cached information about existing keys yet. + The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or :any:`inline-signing` to be enabled.