Dnssec zone signing problem

Sergiu Bivol sbivol at bluecatnetworks.com
Fri May 21 18:33:18 UTC 2010

>Hmm... dnssec-signzone (version 9.7.0-P1) seems to work perfectly well:
>dnssec-signzone -k Kexample.com.+008+53749.key -N INCREMENT -g -o
example.com example.com Kexample.com.+008+41979 Verifying the zone using
the following algorithms: RSASHA256. 
>Zone signing complete:
>Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked 
>		      ZSKs: 1 active, 1 stand-by, 0 revoked

Did some more digging with dnssec-signzone (v9.7.0-P2 and 9.6.2-P2). It
works if:
a) both KSK and ZSK are specified on the command line
b) their DNSKEY records are in the zone file
c) their key files exist on disk.

If only KSK is specified in a), it also works if b) and c) are met.
However, if in c) only KSK key files are on disk, but ZSK key files are
not, dnssec-signzone fails with the errors mentioned earlier.

Prior to 9.6.2-P1, instead of failing, dnssec-signzone would sign only
the DNSKEY RRset with KSK. Then we'd invoke dnssec-signzone with ZSK to
sign everything else.

More information about the bind-users mailing list