DNSSEC and slaves error
Mark Andrews
marka at isc.org
Thu Mar 8 02:17:53 UTC 2012
In message <CAMD-=VKxKssRXfD4XSgPua-v6=oOAzyLgc3yB3cY51iHOPW3NQ at mail.gmail.com>
, Nick Edwards writes:
> On 3/8/12, Nick Edwards <nick.z.edwards at gmail.com> wrote:
> > On 3/7/12, Mark Andrews wrote:
> >
> >>> resigned it again as about 3 months using: dnssec-signzone -a -e
> >>> +15724800 -K keys/ -N INCREMENT guilty_domain.here
> >>
> >> You should have fed dnssec-signzone the old signed zone not the unsigned
> >> zone.
> >>
> >> dnssec-signzone -f guilty_domain.here.signed .... -N INCREMENT
> >> guilty_domain.here.signed
> >>
> >
> > Thank you Mark, in all of the so called "howto's" I've read, I recall
> > none of them mentioning resigning the "signed file".
> > I've changed my cheat sheet to reflect above is only useful for
> > initial signing, and your example as all subsequent signings
> >
> > Thanks again.
> >
>
> Hrmm, is thatreally the correct command?
>
> dnssec-signzone -f xxxxxx.org.signed -a -e +15724800 -K keys/ -N
> INCREMENT xxxxxx.org.signed
>
> fatal: failed loading zone from 'xxxxxxx.org.signed': not at top of zone
-o xxxxxxx.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list