Zones not being recognised as Signed

Mark Andrews marka at
Thu Mar 30 22:02:38 UTC 2017

In message <CAB=ej3rXb-+UkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg at>, J T writ
> Hi,
> I have 5 signed zones ( 2 x .email, 2 x .com and 1 x ).
> I used Webmin to do the heavy lifting of signing/resigning etc.
> Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
> restart/zone application and that fact is reported in the system logs.
> I’m trying to work out why 3 are failing to be recognised as Signed.
> No errors are reported as part of the signing process. The zonefiles
> appear to have loads of DNSSEC related resource records.
> e.g.
>    - RRSIG (digital signature)
>    - DNSKEY (public key)
>    - DS (parent-child)
>    - NSEC (proof of nonexistence)
>    - NSEC3 (proof of nonexistence)
>    - NSEC3PARAM (proof of nonexistence)
> and the parent registrar has had DS records added.
> As bind is not flagging the zone as signed its not returning RRSIGs in the
> Answer section of a query ( although they are provided in the Additional
> section ).
> I’m not really sure what the criteria is for bind to decide a zone is
> signed.

For a zone to be treated as secure (signed) there needs to be a
NSEC record at the zone apex or a NSEC3PARAM record at the zone
apex.  There also needs to be a DNSKEY RRset containing a zone key.

While named is in the process of signing a zone initially these
conditions are not met.  The last stage of initial signing is to
add the NSEC record to the apex or to add the NSEC3PARAM record.

The first stage of going insecure is to remove the NSEC/NSEC3PARAM
record at the zone apex.

> The same process is being used to sign/resign the 5 zones but only 2 are
> flagged as signed.
> Any tips on how to debug this would be appreciated.
> Thanks,
> Jay

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list