Unable to load NSEC3 zone after restart

Andy Smith dotandy at outlook.com
Tue Oct 2 10:07:30 UTC 2012


I’m having some problems when BIND 9.9.1 on Windows is restarted – it seems to be unable to load any NSEC3 zones using inline-signing that were working prior to the restart.

It seems to be working fine for NSEC zones, which leads me to think I’m missing a configuration step somewhere.
 
The zone configuration in named.conf is as follows:

zone "foobar.co.uk" {
type master;
file "master/foobar.co.uk.managed";
notify explicit;
inline-signing yes;
auto-dnssec maintain;
};

To sign the zone I’m running the following:

dnssec-keygen -3 -a RSASHA256 -b 1024 -n ZONE foobar.co.uk.
dnssec-keygen -f KSK -3 -a RSASHA256 -b 2048 -n ZONE foobar.co.uk.

rndc loadkeys foobar.co.uk.
rndc signing -nsec3param 1 0 10 ABCABCABCABCABCA foobar.co.uk.

If I reload the BIND configuration using rndc reconfig or rndc reload the zone continues to be served, however if I reload the BIND service using net stop/start "isc bind" then its unable to load the zone giving the following errors in the log file:

general: info: zone foobar.co.uk/IN (unsigned): loaded serial 2012083126
general: error: dns_master_load: out of range
general: error: zone foobar.co.uk/IN (signed): loading from master file master/foobar.co.uk.managed.signed failed: out of range
general: error: zone foobar.co.uk/IN (signed): not loaded due to errors.

The only way to solve this seems to be to delete the .signed and .signed.jnl files, reload the zone and then run rndc signing -nsec3param again.

Any suggestions would be appreciated.

Thanks,
Andy 		 	   		  


More information about the bind-users mailing list