Single nameserver doesn't show signed SOA-RRs
Stefan Foerster
cite at incertum.net
Thu Jun 30 03:14:06 UTC 2011
* Zenon Panoussis <oracle at provocation.net>:
> On 06/29/2011 10:57 PM, Stefan Foerster wrote:
>
> > ...it complains that ns3.wars-nicht.de doesn't have a
> > signed SOA.
>
> It complains that the SOA of wars-nicht.de itself is not signed, or that
> ns3.wars-nicht.de does not have a signed SOA for billigmail.org and
> incertum.net?
The exact error message is: "does not have a signed SOA" -
http://bit.ly/jvScM0
> > I already tried increasing the serial for those zones to retransfer them,
> > but the error seems to persist.
>
> Check whether the zone transfer actually took place. Even if you increase
> the serial and send notifies, there could be a misconfiguration somewhere
> preventing the notifies from getting through or the tranfer from taking
> place.
I did that, of course:
Jun 29 22:31:31 thrassa named[3212]: zone billigmail.org/IN/external: loaded serial 2011062902 (DNSSEC signed)
Jun 29 22:31:31 thrassa named[3212]: zone billigmail.org/IN/external: sending notifies (serial 2011062902)
Jun 29 22:31:31 thrassa named[3212]: client 88.198.26.233#56054: view external: transfer of 'incertum.net/IN': AXFR-style IXFR started
Jun 29 22:31:31 thrassa named[3212]: client 88.198.26.233#56054: view external: transfer of 'incertum.net/IN': AXFR-style IXFR ended
> Looking at them now, all three seem to have the same serial, 2011062902
> for both domains.
cite at helena:~$ dig billigmail.org soa @88.198.26.233 +short
thrassa.incertum.net. hostmaster.incertum.net. 2011062902 14400 3600 604800 7200
I'm really puzzled - especially because dnsviz.net also complains
about missing RRSIGs from 88.198.26.233 - and the admin of
88.198.26.233 told me he doesn't see any unusual errors in his logs.
Do you have any further ideas on what to check?
Cheers
Stefan
More information about the bind-users
mailing list