Dnssec zone signing problem

Hauke Lampe list+bindusers at hauke-lampe.de
Thu May 20 19:51:19 UTC 2010


On 05/20/2010 09:10 PM, itservices88 wrote:

> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC

You seem to have a record for "." somewhere in your zone file.

Did you load the unsigned zone into BIND before? It should have logged a
warning about that record.

>        dnssec-enable yes;
>        dnssec-validation yes;
>//      dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
> With the trust-anchor uncommented, as soon as i enable and reload bind, dig
> gives timeout, while dig has no issues with first two commands enabled.

Do you have a firewall in the path that would block large DNS responses
or fragments?


Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100520/1ea257c4/attachment.bin>


More information about the bind-users mailing list