Alan Batie <a...@peak.org> wrote: > > I'm letting named do the automatic signing/generation of RRSIG records, > but unless I'm missing something, you still have to generate the DNSKEY > records manually. dnssec-verify is the tool in question complaining > about not including RSASHA1 keys and signatures.
Oh whoops, sorry, I wasn't paying proper attention. I think those errors from dnssec-verify look to me like you have an RSASHA256 KSK and an RSASHA1 ZSK. Your key files should all have names like K*+008+* not K*+005+*. In older versions of BIND it's easy to accidentally get a bad key by forgetting the -a option to dnssec-keygen. (BTW I prefer to talk about "keys" when I have the files with both the public and private parts, and only talk about DNSKEYs when I'm referring to the public parts published in zone files.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ a fair, free and open society _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
