From a71e037ac4ecf8ba213c87c2a545600fa1daaf05 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 11 Oct 2024 14:38:55 +0200 Subject: [PATCH] Add new behavior to the ARM Add text to the ARM that describes what we do in case key files have become unavailable. (cherry picked from commit 351c066d916b0ac79070ee0c8e9879d108dfb996) --- doc/arm/reference.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 88a44045ba..c2a6039d7f 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6394,6 +6394,14 @@ zone is generated even if they have the same policy. If multiple views are configured with different versions of the same zone, each separate version uses the same set of signing keys. +If the expected key files that were previously observed have gone missing or +are inaccessible, key management is halted. This will prevent rollovers +from being started if there is a temporary file access issue. If his problem +is permanent it will eventually lead to expired signatures in your zone. +Note that if the key files are missing or inaccessible during :iscman:`named` +startup, BIND 9 will try to generate new keys according to the DNSSEC policy, +because it has no cached information about existing keys yet. + The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or :any:`inline-signing` to be enabled (which is the default for DNSSEC zones).