> dnssec-signzone -d /path/to/dsset -K /path/to/keys -3 0000001111 -f > zone.signed -e +3024000 -j 1800 -o zone.edu -r /dev/urandom -S -T 12h > /path/to/input > > dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; > ignoring > Fetching ZSK 59544/RSASHA256 from key repository. > Fetching ZSK 29076/RSASHA256 from key repository. > Fetching KSK 11110/RSASHA256 from key repository. > Fetching KSK 38074/RSASHA256 from key repository. > Verifying the zone using the following algorithms: RSASHA256. > Zone fully signed: > Algorithm: RSASHA256: KSKs: 1 active, 1 stand-by, 0 revoked > ZSKs: 1 active, 1 stand-by, 0 revoked > > Despite the warning that appears to be saying it's ignoring NSEC3 > generation, the signed output includes NSEC3 data: [...] > What exactly is this warning supposed to mean?
The warning is spurious and has been fixed in 9.9.3. It was incorrectly checking to see whether there were any DNSKEY records in the zone *before* loading them from the key files. It should have been doing so afterward, obviously. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
