[dns-operations] Dnssec zone signing problem

itservices88 itservices88 at gmail.com
Thu May 20 17:23:26 UTC 2010


Hi,

I am having a dnssec problem while signing zone:

# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.

What could be wrong ....

I have followed these steps:

OS = centos 5.4 with bind-9.6.2-3.P1
http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org
Under options in named.conf

        dnssec-enable yes;
        dnssec-validation yes;
//      dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";

With the trust-anchor uncommented, as soon as i enable and reload bind, dig
gives timeout, while dig has no issues with first two commands enabled.

#more /etc/sysconfig/dnssec
DNSSEC="on"
DLV="dlv.isc.org"

Thanks
-dani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100520/35ee46c5/attachment.html>


More information about the dns-operations mailing list