I'm running bind9 on ubuntu 20.04, package version is 1:9.16.1-0ubuntu2.11. I've configured it to do fully automatic DNSSEC signing, using the dnssec-policy default; statement in zone configuration.
I have a few zones setup, but they don't seem to update properly. When I update (or remove) a record from the original unsigned zonefile, and then run rndc sign example.com, I see in the logs that a new serial is generated, the zone is signed, and the updated zone is transferred to the slave servers:
named[638]: received control channel command 'sign example.com'
named[638]: zone example.com/IN (signed): reconfiguring zone keys
named[638]: zone example.com/IN (signed): next key event: 30-Oct-2022 21:36:42.061
named[638]: zone example.com/IN (signed): sending notifies (serial 2022020430)
named[638]: client @0x7f132004b0a0 1.2.3.4#44170 (example.com): transfer of 'example.com/IN': IXFR started (serial 2022020429 -> 2022020430)
named[638]: client @0x7f132004b0a0 1.2.3.4#44170 (example.com): transfer of 'example.com/IN': IXFR ended: 1 messages, 12 records, 1093 bytes, 0.001 secs (1093000 bytes/sec)
But when I inspect the updated zone, either by querying the servers (primary or secondaries, makes no difference) or inspecting the signed zonefile on disk on the master using named-checkzone -D -f raw example.com example.com.signed, my changes have not been applied.
The serial is updated just fine, but my records are still the old ones. Updated records don't show up, removed records keep showing up.
When I remove generated files from the server (example.com.jbk, example.com.signed, example.com.signed.jnl), they come back after rndc sign, or some time later without me doing something (maybe the server scheduled tasks for later?). And some later, the zone actually gets updated to my liking. But apparently I need forcibly remove files from the server?
I have no idea how to make bind use my updated zonefile to generate a signed zonefile with correct contents without pulling weird tricks. Maybe someone can explain what is going on?
NB I've set this up using the DNSSEC guide from the bind9 docs. In newer versions of that document, it's stated that I need to add inline-signing yes; to my zone configuration, but that results in an error (inline-signing: cannot be configured if dnssec-policy is also set). So that is not the solution :(
To answer my own question:
The problem was that I was using rndc sign example.com to push updates out. the sign command just resignes the existing (in-memory) data.
After editing the unsigned domain file on disk, you need to use rndc reload example.com to instruct named to read the updated zonefile. Then it will automatically resign the zone, send notifies etc. Don't forget to increase the serial in the zonefile, otherwise named will reject the update (but this will only be visible in the logs, not in the response to your rndc command).