Problem with DNSSEC signing zone

William Thierry SAMEN thierry.samen at
Fri Jul 20 09:52:33 UTC 2012

Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to
obtain a good result.

   1.  Generated KSK and ZSK
   2. Add both of keys at the end of my zone file
   3. signing my zone with dnssec-signzone command
   4. enable dnssec in named options
   5. change the name of my zone in the named by namezone.signed
   6. I got the root DNSKEY RR set before with dig command and redirect the
   outpout in root-dnskey file
   7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey

all this steps have been done well but, when i made a dig for testing the
result, i can't seen my section answer with RRSIG or ad flag

someone know what can i made to solve this problem please.

my zone name is ** and when i tested my Bind with a sign
domain like **, the result is good.

*dig +dnssec gave *me a good answer

dig +dnssec return a solution without RRSIG records or ad flag

Thanks for your help

Thierry *SAMEN.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list