On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <m...@posix.co.za> wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check > the results. > Add a new KSK using RSASHA256 - prep the zone and sign again. > 1 - Signer is confused???? - can not sign (or generate a new Signed > Zone)... > Verifying the zone using the following algorithms: RSASHA1. > Missing self signing KSK for algorithm RSASHA256 > The zone is not fully signed for the following algorithms: > RSASHA256. > dnssec-signzone: fatal: DNSSEC completeness test failed. > > When you include DNSKEYS with multiple algorithms, both the DNSKEY RRset and other RRsets in the zone must be signed with each algorithm [1]. Because you designed your RSASHA256 DNSKEY as a KSK, dnssec-signzone is only using it to sign the DNSKEY RRset, not other RRsets. To resolve this, create a ZSK with algorithm RSASHA256 to your zone. Regards, Casey [1] See http://tools.ietf.org/html/rfc4035 - section 2.2
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
