Hi, I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).
I used Webmin to do the heavy lifting of signing/resigning etc. Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on restart/zone application and that fact is reported in the system logs. I’m trying to work out why 3 are failing to be recognised as Signed. No errors are reported as part of the signing process. The zonefiles appear to have loads of DNSSEC related resource records. e.g. - RRSIG (digital signature) - DNSKEY (public key) - DS (parent-child) - NSEC (proof of nonexistence) - NSEC3 (proof of nonexistence) - NSEC3PARAM (proof of nonexistence) and the parent registrar has had DS records added. As bind is not flagging the zone as signed its not returning RRSIGs in the Answer section of a query ( although they are provided in the Additional section ). I’m not really sure what the criteria is for bind to decide a zone is signed. The same process is being used to sign/resign the 5 zones but only 2 are flagged as signed. Any tips on how to debug this would be appreciated. Thanks, Jay
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
