Dnssec zone signing problem
Mark Andrews
marka at isc.org
Fri May 21 03:10:29 UTC 2010
In message <AANLkTil_-LDs5T6SvsfgP6u_9ATKloV2xfoWYOOVsgNj at mail.gmail.com>, itse
rvices88 writes:
> Hi,
>
> I am having a dnssec problem while signing zone:
>
> # dnssec-signzone -N INCREMENT mydomain.org
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
> The zone is not fully signed for the following algorithms: RSASHA1.
> dnssec-signzone: fatal: DNSSEC completeness test failed.
>
> What could be wrong ....
>
> I have followed these steps:
>
> OS = centos 5.4 with bind-9.6.2-3.P1
> http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dn
> ssec-nsec3-support/
>
> dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
> cat Kmydomain.org.+005+*.key >> mydomain.org
> dnssec-signzone -N INCREMENT mydomain.org
I suspect we will need to see the zone and the K* files. Open a
bug report with bind9-bugs at isc.org and send the files to see if we
can reproduce it.
> Under options in named.conf
named.conf will have no effect on this.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list