I am running bind in a chroot jail, btw. I had this working a while ago, and left it for a while and then tried to set it up again, with no luck.
I am sure it is something simple... -- Jack Tavares ________________________________ From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares [j.tava...@f5.com] Sent: Wednesday, May 13, 2009 10:27 To: bind-users@lists.isc.org Subject: error while attempting to use nsupdate on a DNSSEC signed zone Hello - (bind9.6.0-P1) I have set up a zone that is signed. It is an island of security zone for testing purposes. I have set up a TSIG key and set the allow-update to accept the key. I have followed every step, afaict, in the various how-tos on how to sign a zone. But when I try to do an update, I get an error. All the error says is signer "update.test.net" approved 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': adding an RR at 'blah.test.net' A 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure "failure" is all it says for a reason. I looked at the bind source, and there are some more useful error messages about keys etc. But all I am getting is "failure". If i do the same nsupdate without DNSSEC, it works. It appears there is something wrong with my setup and the regeneration of the RRSIG/NSEC keys is failing. (I have tried it with both NSEC and NSEC3 keys) I will put together a (simpler) named.conf and zone file that causes this and post that info, but I was hoping that maybe somebody has seen this and has an idea. Thanks -- Jack Tavares
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
