Enabling dnssec inline-signing gettin' SERVFAIL
Daniel A. Rodriguez
drodriguez at unau.edu.ar
Tue Feb 17 21:44:57 UTC 2026
I am turning to collective knowledge because I am facing a problem.
Until now, I had Debian 12 with 9.18 running using DNSsec, but for some
reason, which I still cannot identify, it has stopped working.
Every time I (re)enable
inline-signing yes;
dnssec-policy “ecdsa”;
in the zone, it stops loading and throws a SERVFAIL error.
named.conf.options has
dnssec-policy “ecdsa” {
keys {
ksk lifetime unlimited algorithm ECDSAP256SHA256;
zsk lifetime 90d algorithm ECDSAP256SHA256;
};
};
I wrote this little script to delete old logs, but even after waiting a
couple of minutes, the SERVFAIL is still there
ZONE="DOMAIN"
ZONE_FILE="/var/cache/bind/db.$ZONE"
if [ ! -f “$ZONE_FILE” ]; then
echo “ERROR: $ZONE_FILE not found”
exit 1
fi
systemctl stop bind9 || { echo “ERROR: Could not stop BIND”; exit 1; }
rm -f “$ZONE_FILE”.jnl “$ZONE_FILE”.jbk “$ZONE_FILE”.mvd
chown bind:bind “$ZONE_FILE”
chmod 644 “$ZONE_FILE”
named-checkzone “$ZONE” “/etc/bind/zonas/db.$ZONE” || { echo “ERROR:
named-checkzone failed”; exit 1; }
systemctl start bind9 || { echo “ERROR: Could not start BIND”; exit 1; }
sleep 5
dig @“127.0.0.1” “$ZONE” SOA +norecurse | grep -E “status:|aa” || echo
“ATTENTION: Check the BIND logs for SERVFAIL”
Any clue would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20260217/260858b6/attachment.htm>
More information about the bind-users
mailing list