BIND 9.7.0a1 and dnssec-signzone verification

Holger.Zuleger at arcor.net Holger.Zuleger at arcor.net
Wed Jun 24 15:45:33 UTC 2009


I have some issues with dnssec-signzone under BIND 9.7.0a1.

I'm using different algorithms for key- and zone signing keys.
This is the list of currently used keys:
$ dnssec-zkt  .
Keyname                             Tag Typ Sta Algorit Generation Time  
                  sub.example.de. 56595 KSK act RSASHA1 Oct 03 2008 
23:27:15
                  sub.example.de. 40956 KSK act RSASHA1 Oct 03 2008 
01:02:19
                  sub.example.de. 26451 KSK act RSASHA1 Jun 15 2009 
08:58:26
                  sub.example.de. 11091 ZSK pub RSAMD5  Jun 24 2009 
17:12:33
                  sub.example.de. 38598 ZSK act RSAMD5  Jun 15 2009 
08:56:24


Signing the zone with dnssec-signzone and *not* turning off the
verification of the zone (via -P), gives me a lot of error messages:

$ dnssec-signzone -o sub.example.de zone.db 
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSAMD5
Missing ZSK for algorithm RSASHA1
Missing RSASHA1 signature for sub.example.de NSEC
Missing RSASHA1 signature for sub.example.de SOA
Missing RSASHA1 signature for sub.example.de NS
Missing RSASHA1 signature for a.sub.example.de NSEC
Missing RSASHA1 signature for a.sub.example.de A
Missing RSASHA1 signature for b.sub.example.de NSEC
Missing RSASHA1 signature for b.sub.example.de A
Missing RSASHA1 signature for c.sub.example.de NSEC
Missing RSASHA1 signature for c.sub.example.de A
Missing RSASHA1 signature for localhost.sub.example.de NSEC
Missing RSASHA1 signature for localhost.sub.example.de A
The zone is not fully signed for the following algorithms: RSAMD5 RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.

Does it mean that it is no longer possible to use different key algorithms
in one zone?

Thanks
 Holger




More information about the bind-users mailing list