Dnssec zone signing problem
Mark Andrews
marka at isc.org
Fri May 21 03:07:17 UTC 2010
In message <20100520192619.GA27703 at laperouse.bortzmeyer.org>, Stephane Bortzmey
er writes:
> On Thu, May 20, 2010 at 12:10:53PM -0700,
> itservices88 <itservices88 at gmail.com> wrote
> a message of 92 lines which said:
>
> > # dnssec-signzone -N INCREMENT mydomain.org
> > Verifying the zone using the following algorithms: RSASHA1.
> > Missing RSASHA1 signature for . NSEC
> > The zone is not fully signed for the following algorithms: RSASHA1.
> > dnssec-signzone: fatal: DNSSEC completeness test failed.
>
> I do not find these error messages in BIND source code. Are you sure
> you use the pristine dnssec-signzone and not, say, a local custom
> script?
The message is there.
fprintf(stderr, "Missing %s signature for "
"%s %s\n", algbuf, namebuf, typebuf);
> (dnssec-signzone is supposed to sign the zone, not to check that it is
> signed.)
There are lots of ways to use dnssec-signzone to "sign" a zone such
that you can't validate it. You can also disable the checks is you
need to take the zone though such a state. It's on by default so
it becomes hard to shoot yourself in the foot.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list