Dnssec zone signing problem
marka at isc.org
Fri May 21 03:10:29 UTC 2010
In message <AANLkTil_-LDs5T6SvsfgP6u_9ATKloV2xfoWYOOVsgNj at mail.gmail.com>, itse
> I am having a dnssec problem while signing zone:
> # dnssec-signzone -N INCREMENT mydomain.org
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
> The zone is not fully signed for the following algorithms: RSASHA1.
> dnssec-signzone: fatal: DNSSEC completeness test failed.
> What could be wrong ....
> I have followed these steps:
> OS = centos 5.4 with bind-9.6.2-3.P1
> dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
> cat Kmydomain.org.+005+*.key >> mydomain.org
> dnssec-signzone -N INCREMENT mydomain.org
I suspect we will need to see the zone and the K* files. Open a
bug report with bind9-bugs at isc.org and send the files to see if we
can reproduce it.
> Under options in named.conf
named.conf will have no effect on this.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users