Automated DNSSEC (command line)

Casey T. Deccio casey at deccio.net
Sat May 29 01:23:00 UTC 2010


On May 28, 2010, at 5:11 PM, Michelle Konzack wrote:
> 
> I have updated the serialnumber manualy and it just updated <dns2>...
> 
> OK, now I have tried the second Zone
> 
>    <http://dnsviz.net/d/itsystems.tamay-dogan.net/dnssec/>
> 
> but it tell me:
> 
>  RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus 
> 
> realy weird, because the Zone is like others. How can I check this?
> 

To have dnssec-signzone increment the zone automatically, use the '-N increment' option.  If you simply increment the serial of an already signed zone without updating the signature, the signature no longer matches because the SOA record has changed.

This assumes a non-dynamic (i.e., manually updated) zone.  If you submit updates to a dynamic zone, as Mark suggested, the serial will be updated and resigned as part of the update.

Regards,
Casey





More information about the bind-users mailing list