DNSSEC signing issues

Mark Andrews marka at isc.org
Fri Apr 22 16:25:33 UTC 2011 

In message <8D870AB38C30EC4C848A11A3F83D20D801733325E60C at exchange2007.mmicmanho
menet.local>, "Security Admin (NetSec)" writes:
> 
> I am running BIND 9.4.2-P2 on OpenBSD v4.8
> 
> I have created the ZSK and KSK and added the keys to my zonefile "mydomain.=
> hosts"  using the "cat" command to append to the end of the host file.
> 
> When attempting to use the following command "dnssec-signzone -N INCREMENT =
> mydomain.hosts" I get the following error:
> 
> dnssec-signzone: error: dns_master_load: mydomain.hosts:15: mydomain.com: n=
> ot at top of zone
> dnssec-signzone: failed loading zone from ' mydomain.hosts': not at top of =
> zone
> 
> I own this domain and the DNS servers associated with them.  Line 15 refere=
> nced in the above error is an MX record within the host file. I am unsure h=
> ow to debug this error.  Any help would be appreciated.

Specify the zone name with "-o mydomain.com".  By default the zone matches
the file name.
 
> --_000_8D870AB38C30EC4C848A11A3F83D20D801733325E60Cexchange200_
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
> osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
> //www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
> =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
> oft Word 14 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
> 	{font-family:"Cambria Math";
> 	panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> 	{font-family:Calibri;
> 	panose-1:2 15 5 2 2 2 4 3 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:11.0pt;
> 	font-family:"Calibri","sans-serif";}
> a:link, span.MsoHyperlink
> 	{mso-style-priority:99;
> 	color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{mso-style-priority:99;
> 	color:purple;
> 	text-decoration:underline;}
> span.EmailStyle17
> 	{mso-style-type:personal-compose;
> 	font-family:"Calibri","sans-serif";
> 	color:windowtext;}
> .MsoChpDefault
> 	{mso-style-type:export-only;
> 	font-family:"Calibri","sans-serif";}
> @page WordSection1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.0in 1.0in 1.0in;}
> div.WordSection1
> 	{page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
> nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>I am running BIN=
> D 9.4.2-P2 on OpenBSD v4.8<o:p></o:p></p><p class=3DMsoNormal><o:p> </=
> o:p></p><p class=3DMsoNormal>I have created the ZSK and KSK and added the k=
> eys to my zonefile “mydomain.hosts”  using the “cat&=
> #8221; command to append to the end of the host file.<o:p></o:p></p><p clas=
> s=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>When attempting to =
> use the following command “dnssec-signzone -N INCREMENT mydomain.host=
> s” I get the following error:<o:p></o:p></p><p class=3DMsoNormal><o:p=
> > </o:p></p><p class=3DMsoNormal><i>dnssec-signzone: error: dns_master=
> _load: mydomain.hosts:15: mydomain.com: not at top of zone<o:p></o:p></i></=
> p><p class=3DMsoNormal><i>dnssec-signzone: failed loading zone from ' mydom=
> ain.hosts': not at top of zone<o:p></o:p></i></p><p class=3DMsoNormal><i><o=
> :p> </o:p></i></p><p class=3DMsoNormal>I own this domain and the DNS s=
> ervers associated with them.  Line 15 referenced in the above error is=
>  an MX record within the host file. I am unsure how to debug this error.&nb=
> sp; Any help would be appreciated.<o:p></o:p></p></div></body></html>=
> 
> --_000_8D870AB38C30EC4C848A11A3F83D20D801733325E60Cexchange200_--
> 
> --===============5749675706925016482==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============5749675706925016482==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list