> Seeing this after upgrading to 9.6.2-P1. > > We've made no other changes to the host or any configuration files, etc. > > /var/named # dnssec-signzone -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au > dnssec-signzone: fatal: no self signed KSK's found
When dnssec-signzone has finished signing, it checks the zone for validity. In this case, it found that the DNSKEY RRset didn't have any signatures from a key-signing key. This may be due to such a key not existing, or its private file being inaccessible. Older versions of dnssec-signzone didn't check for this; that's why it never appeared to be a problem until now. Note that sometimes it *isn't* a problem--for example, when you're signing a zone in two phases, once with a ZSK and later with a KSK. If that's what's going on in your case, add the -P flag (for "partial") to dnssec-signzone; that will suppress the validity check. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
