DNSEC and Bin 9.12
@lbutlr
kremels at kreme.com
Sat Jan 26 19:20:49 UTC 2019
On 21 Jan 2019, at 13:49, Mark Andrews <marka at isc.org> wrote:
Thanks for the info on the first two questions.
>> Third, what does “not at top of zone” mean in dnssec-verify?
>
> Some record that should have been at the zone’s apex (name) wasn’t. Either you passed the wrong
> zone name to dnssec-verify or you have put records in the wrong place in the zone.
OK, named-checkzone returns "OK" but the dnssec-verify complains about not at top of zone.
Ah, wait, no, I was doing it wrong.
Now both commands return success, but after reloading bind and trying to query localhost for the DNSEC information it returns nothing.
I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone record in name.conf and now everything is behaving as expected when I query localhost for the DNSSEC info. (I know this is not complete until I update the records at the registrar, but I am not ready to do that).
Which brings up one more question, what sort of maintenance/renewal process do I need to implement, if any? Once the zone is signed I assume that signature expires at some point. when I edit the conf file, I will have to manually regenerate the sonf.signed file since I had to remove "auto-dnssec maintain", yes?
--
'You know the worst of it?' said Rincewind.
'Oook?'
'I don't even remember walking under a mirror.' --Mort
More information about the bind-users
mailing list