BIND 9.7.0a1 and dnssec-signzone verification
Holger.Zuleger at arcor.net
Holger.Zuleger at arcor.net
Wed Jun 24 15:45:33 UTC 2009
I have some issues with dnssec-signzone under BIND 9.7.0a1.
I'm using different algorithms for key- and zone signing keys.
This is the list of currently used keys:
$ dnssec-zkt .
Keyname Tag Typ Sta Algorit Generation Time
sub.example.de. 56595 KSK act RSASHA1 Oct 03 2008
23:27:15
sub.example.de. 40956 KSK act RSASHA1 Oct 03 2008
01:02:19
sub.example.de. 26451 KSK act RSASHA1 Jun 15 2009
08:58:26
sub.example.de. 11091 ZSK pub RSAMD5 Jun 24 2009
17:12:33
sub.example.de. 38598 ZSK act RSAMD5 Jun 15 2009
08:56:24
Signing the zone with dnssec-signzone and *not* turning off the
verification of the zone (via -P), gives me a lot of error messages:
$ dnssec-signzone -o sub.example.de zone.db
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSAMD5
Missing ZSK for algorithm RSASHA1
Missing RSASHA1 signature for sub.example.de NSEC
Missing RSASHA1 signature for sub.example.de SOA
Missing RSASHA1 signature for sub.example.de NS
Missing RSASHA1 signature for a.sub.example.de NSEC
Missing RSASHA1 signature for a.sub.example.de A
Missing RSASHA1 signature for b.sub.example.de NSEC
Missing RSASHA1 signature for b.sub.example.de A
Missing RSASHA1 signature for c.sub.example.de NSEC
Missing RSASHA1 signature for c.sub.example.de A
Missing RSASHA1 signature for localhost.sub.example.de NSEC
Missing RSASHA1 signature for localhost.sub.example.de A
The zone is not fully signed for the following algorithms: RSAMD5 RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.
Does it mean that it is no longer possible to use different key algorithms
in one zone?
Thanks
Holger
More information about the bind-users
mailing list