Dnssec zone signing problem

Mark Andrews marka at isc.org
Fri May 21 03:07:17 UTC 2010

In message <20100520192619.GA27703 at laperouse.bortzmeyer.org>, Stephane Bortzmey
er writes:
> On Thu, May 20, 2010 at 12:10:53PM -0700,
>  itservices88 <itservices88 at gmail.com> wrote 
>  a message of 92 lines which said:
> > # dnssec-signzone -N INCREMENT mydomain.org
> > Verifying the zone using the following algorithms: RSASHA1.
> > Missing RSASHA1 signature for . NSEC
> > The zone is not fully signed for the following algorithms: RSASHA1.
> > dnssec-signzone: fatal: DNSSEC completeness test failed.
> I do not find these error messages in BIND source code. Are you sure
> you use the pristine dnssec-signzone and not, say, a local custom
> script?

The message is there.
                                fprintf(stderr, "Missing %s signature for "
                                        "%s %s\n", algbuf, namebuf, typebuf);

> (dnssec-signzone is supposed to sign the zone, not to check that it is
> signed.)

There are lots of ways to use dnssec-signzone to "sign" a zone such
that you can't validate it.  You can also disable the checks is you
need to take the zone though such a state.  It's on by default so
it becomes hard to shoot yourself in the foot.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list