Single nameserver doesn't show signed SOA-RRs

Marc Lampo marc.lampo at
Thu Jun 30 05:38:49 UTC 2011

+ / let me guess / you use Smart Signing ?

Weird, this week, in my verification of DNSSEC'd domains by our registrars
I picked up exactly the same error :
no RRSIG on the SOA.

They filed a bug report to ISC about this.
Might be related to this Smart Signing thing -
can you confirm you are also using this ?

Kind regards,

Marc Lampo
Security Officer

-----Original Message-----
From: Stefan Foerster [mailto:cite at] 
Sent: 29 June 2011 10:57 PM
To: bind-users at
Subject: Single nameserver doesn't show signed SOA-RRs

Hello world,

I'm having a problem with a single authoritative server that seems to
not receive a signed zone.

I used to check the zones and and it complains that doesn't have a
signed SOA. I already tried increasing the serial for those zones to
retransfer them, but the error seems to persist.

The affected nameserver is a Debian/lenny running 9.6.ESV.R4, the two
other nameservers are Debian/squeeze running 9.7.3.

On the affected nameserver, the only configuration with regards to
DNSSEC was to add "dnssec-enable yes;" to the named configuration file
(and restart it afterwards).

Can anyone enlighten me on what I'm doing wrong here? I'd like to iron
out this before I submit my keys to my registrar.


More information about the bind-users mailing list