dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring

Thu, 25 Apr 2013 11:33:22 -0700

We're upgrading from bind 9.8 to 9.9, and there's a new warning from dnssec-signzone that's confusing me. We are using a locally developed mechanism for signing that predates the auto and in-line signing mechanisms currently available in bind, and run the command like this:
dnssec-signzone -d /path/to/dsset -K /path/to/keys -3 0000001111 -f zone.signed -e +3024000 -j 1800 -o zone.edu -r /dev/urandom -S -T 12h /path/to/input 


dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; 
ignoring

Fetching ZSK 59544/RSASHA256 from key repository.
Fetching ZSK 29076/RSASHA256 from key repository.
Fetching KSK 11110/RSASHA256 from key repository.
Fetching KSK 38074/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 1 stand-by, 0 revoked
                      ZSKs: 1 active, 1 stand-by, 0 revoked


Despite the warning that appears to be saying it's ignoring NSEC3 
generation, the signed output includes NSEC3 data:


                        0       NSEC3PARAM 1 0 10 0000001111
                        0       RRSIG   NSEC3PARAM 8 2 0 (

                                        20130530022110 20130425022136 
59544 zone.edu.
MREyFqJcDGl7q1+iIb5/SPXZjloP7JkQQDyIDviqW5VdCHE7R+0yiuKGgPFBaxkx7b7C4qNd 
   5Ok+TP9Oh1yhjx5qKzQCEH9cN+v82+J34fStJBsGZPjejz7Sk9b2n71QMfrBwzyPP4Mczjsz

                                        Cx+Rs1OPSWICqpNZteJ3vEece7Y= )

                        10800   RRSIG   NSEC3 8 3 10800 (

                                        20130530020852 20130425022136 
59544 zone.edu.

C6CearljzIjr/oN9h05AAXmdfI2+TXlJE6qh
QsAa8t+4c2BRTr+XujmOHSA6wdTZCJpbF00t
k3ex9J4FGUqrvmrfgoMG/97i1LTtU4+zKGtH
iYZzns1mBx6+SvMat0MdIA5Oyf/BshTQKw9A
uArXwwrt4tZpI2oqjqaO++lNPSU= )

and it most certainly includes DNSKEY's:

                        43200   DNSKEY  256 3 8 (
AwEAAbdtXRiwmMRMktaixtDE5HafjiVncGJX
xniePMxmZui8XWZ/QYDdwCAa9q7os6chnZ0J
LA7jFhDpjx9dAJXL1DLgYGOKKxAgAtQeODS/
DDek96Phnc34eTui4zARMI5Xtg2izbV5qHZE
S6oAmhVOVtk7XCymL1WGyK5QM1QK8/h/
) ; ZSK; alg = RSASHA256; key id = 29076

What exactly is this warning supposed to mean?

Thanks…
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to