Dnssec zone signing problem

itservices88 itservices88 at gmail.com
Thu May 20 19:10:53 UTC 2010


I am having a dnssec problem while signing zone:

# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.

What could be wrong ....

I have followed these steps:

OS = centos 5.4 with bind-9.6.2-3.P1

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org

Under options in named.conf

        dnssec-enable yes;
        dnssec-validation yes;
//      dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";

With the trust-anchor uncommented, as soon as i enable and reload bind, dig
gives timeout, while dig has no issues with first two commands enabled.

#more /etc/sysconfig/dnssec


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100520/93c72d92/attachment.html>

More information about the bind-users mailing list