We have a similar issue. And this is my understanding of it: >From briefly looking at the source, it seems that as of 9.6.2-P1 the dnssec-signzone tool performs some additional validation after the signing is complete.
Previously, it could only verify the signatures it generated, if "-a" is used on the command line. More recently though, dnssec-signzone also performs some higner level validation after it's done signing. This is called "post signing validation". We were invoking the dnssec-signzone tool once with each key. We'd start by signing with KSK, then sign with ZSK. When we upgraded to 9.6.2-P1, dnssec-signzone started failing with errors when signing with KSK: ------------------- Verifying the zone using the following algorithms: RSASHA1. no signatures for example.com/NSEC no signatures for example.com/SOA no signatures for example.com/NS no signatures for subzone.example.com/NSEC no signatures for subzone.example.com/A ------------------- Then we tried signing with both KSK and ZSK at the same time, but got some other error (no self signed KSK found). Without spending more time on this we found a workaround - to disable post signing validation with the newly introduced paratmeter "-P". This is what BIND ARM says: -P Disable post sign verification tests. The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests. At some point we will revisit this issue to understand how to sign the zone so that it passes the post signing validation. Regards Sergiu _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
