Dnssec zone signing problem

Mark Andrews marka at isc.org
Fri May 21 03:10:29 UTC 2010

In message <AANLkTil_-LDs5T6SvsfgP6u_9ATKloV2xfoWYOOVsgNj at mail.gmail.com>, itse
rvices88 writes:
> Hi,
> I am having a dnssec problem while signing zone:
> # dnssec-signzone -N INCREMENT mydomain.org
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
> The zone is not fully signed for the following algorithms: RSASHA1.
> dnssec-signzone: fatal: DNSSEC completeness test failed.
> What could be wrong ....
> I have followed these steps:
> OS = centos 5.4 with bind-9.6.2-3.P1
> http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dn
> ssec-nsec3-support/
> dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
> dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
> cat Kmydomain.org.+005+*.key >> mydomain.org
> dnssec-signzone -N INCREMENT mydomain.org

I suspect we will need to see the zone and the K* files.  Open a
bug report with bind9-bugs at isc.org and send the files to see if we
can reproduce it.

> Under options in named.conf

named.conf will have no effect on this.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list