error while attempting to use nsupdate on a DNSSEC signed zone
Mark Andrews
Mark_Andrews at isc.org
Wed May 13 07:38:10 UTC 2009
In message <4B18A8F75A6384449755BC7784073E93603B776C39 at exch11.olympus.f5net.com
> Hello -
>
> (bind9.6.0-P1)
>
> I have set up a zone that is signed.
> It is an island of security zone for testing purposes.
>
> I have set up a TSIG key and set the allow-update
> to accept the key.
>
> I have followed every step, afaict, in the various
> how-tos on how to sign a zone.
>
> But when I try to do an update, I get an error.
>
> All the error says is
> signer "update.test.net" approved
> 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon=
> e 'test.net/IN': adding an RR at 'blah.test.net' A
> 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon=
> e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> "failure" is all it says for a reason.
>
> I looked at the bind source, and there are some more useful error messages =
> about keys etc.
> But all I am getting is "failure".
>
> If i do the same nsupdate without DNSSEC, it works.
> It appears there is something wrong with my setup and the regeneration of t=
> he RRSIG/NSEC
> keys is failing. (I have tried it with both NSEC and NSEC3 keys)
>
> I will put together a (simpler) named.conf and zone file that causes this a=
> nd post that info,
> but I was hoping that maybe somebody has seen this and has an idea.
>
> Thanks
>
>
> --
> Jack Tavares
Have you told named where the private keys are (key-directory)?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list