I’m having some problems when BIND 9.9.1 on Windows is restarted – it seems to
be unable to load any NSEC3 zones using inline-signing that were working prior
to the restart.
It seems to be working fine for NSEC zones, which leads me to think I’m missing
a configuration step somewhere.
The zone configuration in named.conf is as follows:
zone "foobar.co.uk" {
type master;
file "master/foobar.co.uk.managed";
notify explicit;
inline-signing yes;
auto-dnssec maintain;
};
To sign the zone I’m running the following:
dnssec-keygen -3 -a RSASHA256 -b 1024 -n ZONE foobar.co.uk.
dnssec-keygen -f KSK -3 -a RSASHA256 -b 2048 -n ZONE foobar.co.uk.
rndc loadkeys foobar.co.uk.
rndc signing -nsec3param 1 0 10 ABCABCABCABCABCA foobar.co.uk.
If I reload the BIND configuration using rndc reconfig or rndc reload the zone
continues to be served, however if I reload the BIND service using net
stop/start "isc bind" then its unable to load the zone giving the following
errors in the log file:
general: info: zone foobar.co.uk/IN (unsigned): loaded serial 2012083126
general: error: dns_master_load: out of range
general: error: zone foobar.co.uk/IN (signed): loading from master file
master/foobar.co.uk.managed.signed failed: out of range
general: error: zone foobar.co.uk/IN (signed): not loaded due to errors.
The only way to solve this seems to be to delete the .signed and .signed.jnl
files, reload the zone and then run rndc signing -nsec3param again.
Any suggestions would be appreciated.
Thanks,
Andy
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
