Problem with DNSSEC signing zone

Carsten Strotmann cas at
Fri Jul 20 10:28:44 UTC 2012

Hello Thierry SAMEN,

On Fri, 20 Jul 2012, William Thierry SAMEN wrote:

> Hi all Bind users,
> i just have a problem with my zone signing output i made all the steps to obtain a good result.
>  1.  Generated KSK and ZSK
>  2. Add both of keys at the end of my zone file
>  3. signing my zone with dnssec-signzone command
>  4. enable dnssec in named options
>  5. change the name of my zone in the named by namezone.signed
>  6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
>  7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.

Did you send the DS RR to the operator of the parent zone, and did you 
wait for the DS record to appear in the parent zone?

To see an AD flag, you need to send the query towards a caching DNSSEC 
validating server that is _not_ the same server that is hosting the zone 

The chain of trust from the trust-anchor of the caching 
validating DNS server until the signatures in the zone must be complete, 
including the DS record for your zone which must be hosted in the parent 
zone (

Please also make sure that the serial number in the SOA record on the 
authoritative server is the same number that you see in the signed zone 
file. Do not forget to increment the SOA serial before or during the 
signing process ( dnssec-signzone -N INCREMENT ... ).

I cannot test your domain from here, it seems the domain is not delegated 
(I'm seeing an NXDOMAIN from

csmobile :: ~ » drill -k root.key -SD
;; Number of trusted keys: 1
;; Chasing: A

DNSSEC Trust tree: (A)
|---Existence is denied by:
| (NSEC3)
|---Existence is denied by:
| (NSEC3)
|---Existence is denied by:
| (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

(the negative answer here is not DNSSEC validated, but that is another 

Best regards

Carsten Strotmann

More information about the bind-users mailing list