dnssec-signzone error after updating to 9.6.2-P1
Nate Itkin
bind-users at konadogs.net
Tue Mar 30 03:40:23 UTC 2010
On Tue, Mar 30, 2010 at 01:50:23PM +1100, chris liesfield wrote:
> Here's the output ...
> /var/named # named-checkzone sro.vic.gov.au db.sro.vic.gov.au
> zone sro.vic.gov.au/IN: loaded serial 2010033001
> OK
>
> I chose level 7 debugging to yield as much information as possible, so sorry
> for the size ...
> /var/named # dnssec-signzone -z -v 7 -g -o xxx.xxx.xxx.au db.xxx.xxx.xxx.au
> dnssec-signzone: using 2 cpus
> dnssec-signzone: debug 1: decrement_reference: delete from rbt: 81f2688
[ snip.. ]
Is there a key signing key (KSK) in the zone file? db.xxx.xxx.xxx.au should
have an entry something like this:
$include Kxxx.xxx.xxx.au.+007+12345.key ; KSK
Does that file (Kxxx.xxx.xxx.au.+007+12345.key) and its corresponding
private key (Kxxx.xxx.xxx.au.+007+12345.private) exist with read permission on?
Also, how are you specifying which key is the KSK (typically the -k option
with dnssec-signzone)?
I can replicate your symptoms and the error message by removing the KSK from
a zone file.
Nate Itkin
More information about the bind-users
mailing list