Automated DNSSEC (command line)
Casey T. Deccio
casey at deccio.net
Sat May 29 01:23:00 UTC 2010
On May 28, 2010, at 5:11 PM, Michelle Konzack wrote:
> I have updated the serialnumber manualy and it just updated <dns2>...
> OK, now I have tried the second Zone
> but it tell me:
> RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus
> realy weird, because the Zone is like others. How can I check this?
To have dnssec-signzone increment the zone automatically, use the '-N increment' option. If you simply increment the serial of an already signed zone without updating the signature, the signature no longer matches because the SOA record has changed.
This assumes a non-dynamic (i.e., manually updated) zone. If you submit updates to a dynamic zone, as Mark suggested, the serial will be updated and resigned as part of the update.
More information about the bind-users