named-checkzone error "NSEC node already exists"

Mark Andrews marka at isc.org
Mon Dec 6 22:27:59 UTC 2010 

In message <AANLkTikW6pXuf-cZFrX+oGwXDZaAqmec2y3KQ0pxKKbq at mail.gmail.com>, jim 
writes:
> --===============8614228914376772213==
> Content-Type: multipart/alternative; boundary=00163630e869ed2ed50496c3d6e6
> 
> --00163630e869ed2ed50496c3d6e6
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi,
> 
> Running BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6

Upgrade.
 
> New setup/install and attempting to setup DNSSEC and clean any dirty data.
> Got the zone signed and ran named-checkzone against it and got the following
> (11) times:
>      addnode: NSEC node already exists
> The .signed loads but want to have clean before going live and not sure how
> to narrow down where these eleven duplicates are coming from?
> See these repeated eleven times in debug.log for each start of named,
> running debug of 3
>    06-Dec-2010 14:43:39.266 database: warning: addnode: NSEC node already
> exists

Ignore it.  It's a artifact of the rbt implementation.  The warning has been
removed in newer versions.
 
> Sorry, some more stupid questions on DNSSEC that I'm just confused about.
> 
>  1) Do I sign my n.n.n.in-addr.arpa zone just like my domain.edu?
> 
>    # dnssec-keygen -r /dev/urandom n.n.n.in-addr.arpa
>    # dnssec-keygen -f KSK -r /dev/urandom n.n.n.in-addr.arpa
>    # named-checkzone -t /var/named n.n.n.in-addr.arpa dns.net.domain
>       runs OK
>    # dnssec-signzone -g -k Kn.n.n.in-addr.arpa.+005+33126.key -o
> n.n.n.in-addr.arpa dns.net-iup Kn.n.n.in-addr.arpa.+005+24720.key

Yes.  A zone is a zone.  There is nothing special about "reverse" zones as
far as the DNS is concerned.  It the users of the DNS that treat it as special.
 
> 2) After I have my island of security setup and working, register the KSK
> public key with educause correct?

You register the zones with there parents.  If educause is one of the parents
then yes, for that zone.
 
> 3) After registered with educause should I stop reading in
> /etc/named.iscdlv.key?

Publishing signed zones is independent of validating responses.  I
would stop using dlv when it stops giving a benefit.  At the moment there
are still lots of zones that can only be validated using dlv.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list