dnssec-signzone error after updating to 9.6.2-P1
Evan Hunt
each at isc.org
Tue Mar 30 05:53:59 UTC 2010
> Seeing this after upgrading to 9.6.2-P1.
>
> We've made no other changes to the host or any configuration files, etc.
>
> /var/named # dnssec-signzone -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au
> dnssec-signzone: fatal: no self signed KSK's found
When dnssec-signzone has finished signing, it checks the zone for validity.
In this case, it found that the DNSKEY RRset didn't have any signatures
from a key-signing key. This may be due to such a key not existing, or
its private file being inaccessible.
Older versions of dnssec-signzone didn't check for this; that's why
it never appeared to be a problem until now.
Note that sometimes it *isn't* a problem--for example, when you're
signing a zone in two phases, once with a ZSK and later with a KSK. If
that's what's going on in your case, add the -P flag (for "partial") to
dnssec-signzone; that will suppress the validity check.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list