<div>Hi,</div>
<div> </div>
<div>I am having a dnssec problem while signing zone:<br> <br># dnssec-signzone -N INCREMENT <a href="http://mydomain.org">mydomain.org</a><br>Verifying the zone using the following algorithms: RSASHA1.<br>Missing RSASHA1 signature for . NSEC<br>
The zone is not fully signed for the following algorithms: RSASHA1.<br>dnssec-signzone: fatal: DNSSEC completeness test failed.<br> <br>What could be wrong ....<br> <br>I have followed these steps:<br> <br>OS = centos 5.4 with bind-9.6.2-3.P1</div>
<a href="http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/">http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/</a>
<div><br>dnssec-keygen -a RSASHA1 -b 1024 -n ZONE <a href="http://mydomain.org">mydomain.org</a><br>dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE <a href="http://mydomain.org">mydomain.org</a><br>cat Kmydomain.org.+005+*.key >> <a href="http://mydomain.org">mydomain.org</a><br>
dnssec-signzone -N INCREMENT <a href="http://mydomain.org">mydomain.org</a><br></div>
<div>Under options in named.conf</div>
<div><br> dnssec-enable yes;<br> dnssec-validation yes;</div>
<div>// dnssec-lookaside "." trust-anchor "<a href="http://DLV.ISC.ORG">DLV.ISC.ORG</a>";</div>
<div> </div>
<div>With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled.<br> </div>
<div>#more /etc/sysconfig/dnssec <br></div>
<div>DNSSEC="on"<br>DLV="<a href="http://dlv.isc.org">dlv.isc.org</a>"<br></div>
<div><br>Thanks<br>-dani</div>