Zones not being recognised as Signed

J T jt4websites at gmail.com
Thu Mar 30 21:25:23 UTC 2017


Hi,

I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).

I used Webmin to do the heavy lifting of signing/resigning etc.

Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
restart/zone application and that fact is reported in the system logs.

I’m trying to work out why 3 are failing to be recognised as Signed.

No errors are reported as part of the signing process. The zonefiles appear
to have loads of DNSSEC related resource records.

e.g.

   - RRSIG (digital signature)
   - DNSKEY (public key)
   - DS (parent-child)
   - NSEC (proof of nonexistence)
   - NSEC3 (proof of nonexistence)
   - NSEC3PARAM (proof of nonexistence)

and the parent registrar has had DS records added.

As bind is not flagging the zone as signed its not returning RRSIGs in the
Answer section of a query ( although they are provided in the Additional
section ).

I’m not really sure what the criteria is for bind to decide a zone is
signed.

The same process is being used to sign/resign the 5 zones but only 2 are
flagged as signed.

Any tips on how to debug this would be appreciated.

Thanks,

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170330/69d4130a/attachment.html>


More information about the bind-users mailing list