Dnssec zone signing problem
itservices88 at gmail.com
Thu May 20 19:10:53 UTC 2010
I am having a dnssec problem while signing zone:
# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.
What could be wrong ....
I have followed these steps:
OS = centos 5.4 with bind-9.6.2-3.P1
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org
Under options in named.conf
// dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
With the trust-anchor uncommented, as soon as i enable and reload bind, dig
gives timeout, while dig has no issues with first two commands enabled.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users