error while attempting to use nsupdate on a DNSSEC signed zone

Jack Tavares j.tavares at F5.com
Wed May 13 07:29:52 UTC 2009


I am running bind in a chroot jail, btw.

I had this working a while ago, and left it for a while
and then tried to set it up again, with no luck.

I am sure it is something simple...
--
Jack Tavares


________________________________
From: bind-users-bounces at lists.isc.org [bind-users-bounces at lists.isc.org] On Behalf Of Jack Tavares [j.tavares at F5.com]
Sent: Wednesday, May 13, 2009 10:27
To: bind-users at lists.isc.org
Subject: error while attempting to use nsupdate on a DNSSEC signed zone

Hello -

(bind9.6.0-P1)

I have set up a zone that is signed.
It is an island of security zone for testing purposes.

I have set up a TSIG key and set the allow-update
to accept the key.

I have followed every step, afaict, in the various
how-tos on how to sign a zone.

But when I try to do an update, I get an error.

All the error says is
signer "update.test.net" approved
13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A
13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
"failure" is all it says for a reason.

I looked at the bind source, and there are some more useful error messages about keys etc.
But all I am getting is "failure".

If i do the same nsupdate without DNSSEC, it works.
It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC
keys is failing. (I have tried it with both NSEC and NSEC3 keys)

I will put together a (simpler) named.conf and zone file that causes this and post that info,
but I was hoping that maybe somebody has seen this and has an idea.

Thanks


--
Jack Tavares

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090513/0ce7a5d2/attachment.html>


More information about the bind-users mailing list