Hi, I am having a dnssec problem while signing zone:
# dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. What could be wrong .... I have followed these steps: OS = centos 5.4 with bind-9.6.2-3.P1 http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org cat Kmydomain.org.+005+*.key >> mydomain.org dnssec-signzone -N INCREMENT mydomain.org Under options in named.conf dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside "." trust-anchor "DLV.ISC.ORG"; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled. #more /etc/sysconfig/dnssec DNSSEC="on" DLV="dlv.isc.org" Thanks -dani
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
