Automated DNSSEC (command line)
Casey T. Deccio
casey at deccio.net
Sat May 29 01:23:00 UTC 2010
On May 28, 2010, at 5:11 PM, Michelle Konzack wrote:
>
> I have updated the serialnumber manualy and it just updated <dns2>...
>
> OK, now I have tried the second Zone
>
> <http://dnsviz.net/d/itsystems.tamay-dogan.net/dnssec/>
>
> but it tell me:
>
> RRSIG itsystems.tamay-dogan.net/SOA by 005+19470: Signature is bogus
>
> realy weird, because the Zone is like others. How can I check this?
>
To have dnssec-signzone increment the zone automatically, use the '-N increment' option. If you simply increment the serial of an already signed zone without updating the signature, the signature no longer matches because the SOA record has changed.
This assumes a non-dynamic (i.e., manually updated) zone. If you submit updates to a dynamic zone, as Mark suggested, the serial will be updated and resigned as part of the update.
Regards,
Casey
More information about the bind-users
mailing list