[dns-operations] Dnssec zone signing problem
itservices88
itservices88 at gmail.com
Thu May 20 17:23:26 UTC 2010
Hi,
I am having a dnssec problem while signing zone:
# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.
What could be wrong ....
I have followed these steps:
OS = centos 5.4 with bind-9.6.2-3.P1
http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org
Under options in named.conf
dnssec-enable yes;
dnssec-validation yes;
// dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
With the trust-anchor uncommented, as soon as i enable and reload bind, dig
gives timeout, while dig has no issues with first two commands enabled.
#more /etc/sysconfig/dnssec
DNSSEC="on"
DLV="dlv.isc.org"
Thanks
-dani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100520/35ee46c5/attachment.html>
More information about the dns-operations
mailing list