On Tue, Mar 30, 2010 at 01:50:23PM +1100, chris liesfield wrote: > Here's the output ... > /var/named # named-checkzone sro.vic.gov.au db.sro.vic.gov.au > zone sro.vic.gov.au/IN: loaded serial 2010033001 > OK > > I chose level 7 debugging to yield as much information as possible, so sorry > for the size ... > /var/named # dnssec-signzone -z -v 7 -g -o xxx.xxx.xxx.au db.xxx.xxx.xxx.au > dnssec-signzone: using 2 cpus > dnssec-signzone: debug 1: decrement_reference: delete from rbt: 81f2688 [ snip.. ]
Is there a key signing key (KSK) in the zone file? db.xxx.xxx.xxx.au should have an entry something like this: $include Kxxx.xxx.xxx.au.+007+12345.key ; KSK Does that file (Kxxx.xxx.xxx.au.+007+12345.key) and its corresponding private key (Kxxx.xxx.xxx.au.+007+12345.private) exist with read permission on? Also, how are you specifying which key is the KSK (typically the -k option with dnssec-signzone)? I can replicate your symptoms and the error message by removing the KSK from a zone file. Nate Itkin _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users