A newly minted ZSK signs a domain's SOA but not its A or MX records.
What basic config step did I miss?
For the domain 'trikids123.com' I created and installed a new ZSK with a
key ID of 28053 using these commands:
dnssec-keygen -a 8 -b 1024 trikids123.com
chown bind:bind * # this is bind910 on FreeBSD 10.1
chmod o-r *
rndc loadkeys trikids123.com
No complaints in the log. But then:
- 'dig +dnssec +multi soa trikids123.com' shows the RRset signed by the
new ZSK (28053).
- 'dig +dnssec +multi a trikids123.com' does not show the RRset signed
by the new ZSK (28053). Same with a query for the MX record.
The zone's definition in named.conf:
zone "trikids123.com" in {
type master;
file "dynamic/trikids123.com/trikids123.com.db";
allow-query { any; };
allow-transfer { external-xfer; };
notify yes;
key-directory "keys/trikids123.com";
inline-signing yes;
auto-dnssec maintain;
};
Thanks in advance for troubleshooting clues.
dn
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
