Single nameserver doesn't show signed SOA-RRs
marc.lampo at eurid.eu
Thu Jun 30 05:38:49 UTC 2011
+ / let me guess / you use Smart Signing ?
Weird, this week, in my verification of DNSSEC'd domains by our registrars
I picked up exactly the same error :
no RRSIG on the SOA.
They filed a bug report to ISC about this.
Might be related to this Smart Signing thing -
can you confirm you are also using this ?
From: Stefan Foerster [mailto:cite at incertum.net]
Sent: 29 June 2011 10:57 PM
To: bind-users at isc.org
Subject: Single nameserver doesn't show signed SOA-RRs
I'm having a problem with a single authoritative server that seems to
not receive a signed zone.
I used www.zonecheck.fr to check the zones incertum.net and
billigmail.org and it complains that ns3.wars-nicht.de doesn't have a
signed SOA. I already tried increasing the serial for those zones to
retransfer them, but the error seems to persist.
The affected nameserver is a Debian/lenny running 9.6.ESV.R4, the two
other nameservers are Debian/squeeze running 9.7.3.
On the affected nameserver, the only configuration with regards to
DNSSEC was to add "dnssec-enable yes;" to the named configuration file
(and restart it afterwards).
Can anyone enlighten me on what I'm doing wrong here? I'd like to iron
out this before I submit my keys to my registrar.
More information about the bind-users