In message <CAB=ej3rxb-+ukwyt8rourszf70gi76ksj7uk6uuvqf5pug3...@mail.gmail.com>, J T writ es: > Hi, > > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). > > I used Webmin to do the heavy lifting of signing/resigning etc. > > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on > restart/zone application and that fact is reported in the system logs. > > Iâm trying to work out why 3 are failing to be recognised as Signed. > > No errors are reported as part of the signing process. The zonefiles > appear to have loads of DNSSEC related resource records. > > e.g. > > - RRSIG (digital signature) > - DNSKEY (public key) > - DS (parent-child) > - NSEC (proof of nonexistence) > - NSEC3 (proof of nonexistence) > - NSEC3PARAM (proof of nonexistence) > > and the parent registrar has had DS records added. > > As bind is not flagging the zone as signed its not returning RRSIGs in the > Answer section of a query ( although they are provided in the Additional > section ). > > Iâm not really sure what the criteria is for bind to decide a zone is > signed.
For a zone to be treated as secure (signed) there needs to be a NSEC record at the zone apex or a NSEC3PARAM record at the zone apex. There also needs to be a DNSKEY RRset containing a zone key. While named is in the process of signing a zone initially these conditions are not met. The last stage of initial signing is to add the NSEC record to the apex or to add the NSEC3PARAM record. The first stage of going insecure is to remove the NSEC/NSEC3PARAM record at the zone apex. > The same process is being used to sign/resign the 5 zones but only 2 are > flagged as signed. > > Any tips on how to debug this would be appreciated. > > Thanks, > > Jay -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users