Dnssec zone signing problem
itservices88
itservices88 at gmail.com
Thu May 20 22:36:31 UTC 2010
On Thu, May 20, 2010 at 12:51 PM, Hauke Lampe
<list+bindusers at hauke-lampe.de<list%2Bbindusers at hauke-lampe.de>
> wrote:
> On 05/20/2010 09:10 PM, itservices88 wrote:
>
> > Verifying the zone using the following algorithms: RSASHA1.
> > Missing RSASHA1 signature for . NSEC
>
> You seem to have a record for "." somewhere in your zone file.
>
In named.conf, i have this entry,
zone "." {
type hint;
file "named.ca";
};
egrep "^\." mydomain.org
it gives nothing.
>
> Did you load the unsigned zone into BIND before? It should have logged a
> warning about that record.
>
> > dnssec-enable yes;
> > dnssec-validation yes;
> >// dnssec-lookaside "." trust-anchor "DLV.ISC.ORG<http://dlv.isc.org/>
> ";
> > With the trust-anchor uncommented, as soon as i enable and reload bind,
> dig
> > gives timeout, while dig has no issues with first two commands enabled.
>
> Do you have a firewall in the path that would block large DNS responses
> or fragments?
>
Just the local iptables on the linux server. No other firewall.
>
>
> Hauke.
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100520/f02b7104/attachment.html>
More information about the bind-users
mailing list