Dnssec zone signing problem

Torsten toto at the-damian.de
Fri May 21 13:58:31 UTC 2010

Am Fri, 21 May 2010 09:35:31 -0400
schrieb "Sergiu Bivol" <sbivol at bluecatnetworks.com>:

> We were invoking the dnssec-signzone tool once with each key. We'd
> start by signing with KSK, then sign with ZSK. When we upgraded to
> 9.6.2-P1, dnssec-signzone started failing with errors when signing
> with KSK: -------------------
> Verifying the zone using the following algorithms: RSASHA1.
> no signatures for example.com/NSEC
> no signatures for example.com/SOA
> no signatures for example.com/NS
> no signatures for subzone.example.com/NSEC
> no signatures for subzone.example.com/A
> -------------------
> Then we tried signing with both KSK and ZSK at the same time, but got
> some other error (no self signed KSK found). Without spending more
> time on this we found a workaround - to disable post signing
> validation with the newly introduced paratmeter "-P".

Hmm... dnssec-signzone (version 9.7.0-P1) seems to work perfectly well:

dnssec-signzone -k Kexample.com.+008+53749.key -N INCREMENT -g -o
example.com example.com Kexample.com.+008+41979 
Verifying the zone using the following algorithms: RSASHA256. 
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked 
		      ZSKs: 1 active, 1 stand-by, 0 revoked 


More information about the bind-users mailing list