dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring
Evan Hunt
each at isc.org
Thu Apr 25 18:57:14 UTC 2013
> dnssec-signzone -d /path/to/dsset -K /path/to/keys -3 0000001111 -f
> zone.signed -e +3024000 -j 1800 -o zone.edu -r /dev/urandom -S -T 12h
> /path/to/input
>
> dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY;
> ignoring
> Fetching ZSK 59544/RSASHA256 from key repository.
> Fetching ZSK 29076/RSASHA256 from key repository.
> Fetching KSK 11110/RSASHA256 from key repository.
> Fetching KSK 38074/RSASHA256 from key repository.
> Verifying the zone using the following algorithms: RSASHA256.
> Zone fully signed:
> Algorithm: RSASHA256: KSKs: 1 active, 1 stand-by, 0 revoked
> ZSKs: 1 active, 1 stand-by, 0 revoked
>
> Despite the warning that appears to be saying it's ignoring NSEC3
> generation, the signed output includes NSEC3 data:
[...]
> What exactly is this warning supposed to mean?
The warning is spurious and has been fixed in 9.9.3. It was incorrectly
checking to see whether there were any DNSKEY records in the zone *before*
loading them from the key files. It should have been doing so afterward,
obviously.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list