Dnssec zone signing problem
sbivol at bluecatnetworks.com
Fri May 21 13:35:31 UTC 2010
We have a similar issue. And this is my understanding of it:
>From briefly looking at the source, it seems that as of 9.6.2-P1 the
dnssec-signzone tool performs some additional validation after the
signing is complete.
Previously, it could only verify the signatures it generated, if "-a" is
used on the command line.
More recently though, dnssec-signzone also performs some higner level
validation after it's done signing. This is called "post signing
We were invoking the dnssec-signzone tool once with each key. We'd start
by signing with KSK, then sign with ZSK. When we upgraded to 9.6.2-P1,
dnssec-signzone started failing with errors when signing with KSK:
Verifying the zone using the following algorithms: RSASHA1.
no signatures for example.com/NSEC
no signatures for example.com/SOA
no signatures for example.com/NS
no signatures for subzone.example.com/NSEC
no signatures for subzone.example.com/A
Then we tried signing with both KSK and ZSK at the same time, but got
some other error (no self signed KSK found). Without spending more time
on this we found a workaround - to disable post signing validation with
the newly introduced paratmeter "-P".
This is what BIND ARM says:
-P Disable post sign verification tests.
The post sign verification test ensures that for each algorithm in use
there is at least one non
revoked self signed KSK key, that all revoked KSK keys are self signed,
and that all records in the
zone are signed by the algorithm. This option skips these tests.
At some point we will revisit this issue to understand how to sign the
zone so that it passes the post signing validation.
More information about the bind-users