dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring

Paul B. Henson henson at acm.org
Thu Apr 25 18:32:08 UTC 2013


We're upgrading from bind 9.8 to 9.9, and there's a new warning from 
dnssec-signzone that's confusing me. We are using a locally developed 
mechanism for signing that predates the auto and in-line signing 
mechanisms currently available in bind, and run the command like this:

dnssec-signzone -d /path/to/dsset -K /path/to/keys -3 0000001111 -f 
zone.signed -e +3024000 -j 1800 -o zone.edu -r /dev/urandom -S -T 12h 
/path/to/input

dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; 
ignoring
Fetching ZSK 59544/RSASHA256 from key repository.
Fetching ZSK 29076/RSASHA256 from key repository.
Fetching KSK 11110/RSASHA256 from key repository.
Fetching KSK 38074/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 1 stand-by, 0 revoked
                       ZSKs: 1 active, 1 stand-by, 0 revoked

Despite the warning that appears to be saying it's ignoring NSEC3 
generation, the signed output includes NSEC3 data:

                         0       NSEC3PARAM 1 0 10 0000001111
                         0       RRSIG   NSEC3PARAM 8 2 0 (
                                         20130530022110 20130425022136 
59544 zone.edu.
MREyFqJcDGl7q1+iIb5/SPXZjloP7JkQQDyIDviqW5VdCHE7R+0yiuKGgPFBaxkx7b7C4qNd 
    5Ok+TP9Oh1yhjx5qKzQCEH9cN+v82+J34fStJBsGZPjejz7Sk9b2n71QMfrBwzyPP4Mczjsz
                                         Cx+Rs1OPSWICqpNZteJ3vEece7Y= )

                         10800   RRSIG   NSEC3 8 3 10800 (
                                         20130530020852 20130425022136 
59544 zone.edu.
C6CearljzIjr/oN9h05AAXmdfI2+TXlJE6qh
QsAa8t+4c2BRTr+XujmOHSA6wdTZCJpbF00t
k3ex9J4FGUqrvmrfgoMG/97i1LTtU4+zKGtH
iYZzns1mBx6+SvMat0MdIA5Oyf/BshTQKw9A
uArXwwrt4tZpI2oqjqaO++lNPSU= )

and it most certainly includes DNSKEY's:

                         43200   DNSKEY  256 3 8 (
AwEAAbdtXRiwmMRMktaixtDE5HafjiVncGJX
xniePMxmZui8XWZ/QYDdwCAa9q7os6chnZ0J
LA7jFhDpjx9dAJXL1DLgYGOKKxAgAtQeODS/
DDek96Phnc34eTui4zARMI5Xtg2izbV5qHZE
S6oAmhVOVtk7XCymL1WGyK5QM1QK8/h/
) ; ZSK; alg = RSASHA256; key id = 29076

What exactly is this warning supposed to mean?

Thanks…


More information about the bind-users mailing list