+ / let me guess / you use Smart Signing ? Weird, this week, in my verification of DNSSEC'd domains by our registrars I picked up exactly the same error : no RRSIG on the SOA.
They filed a bug report to ISC about this. Might be related to this Smart Signing thing - can you confirm you are also using this ? Kind regards, Marc Lampo Security Officer EURid -----Original Message----- From: Stefan Foerster [mailto:c...@incertum.net] Sent: 29 June 2011 10:57 PM To: bind-us...@isc.org Subject: Single nameserver doesn't show signed SOA-RRs Hello world, I'm having a problem with a single authoritative server that seems to not receive a signed zone. I used www.zonecheck.fr to check the zones incertum.net and billigmail.org and it complains that ns3.wars-nicht.de doesn't have a signed SOA. I already tried increasing the serial for those zones to retransfer them, but the error seems to persist. The affected nameserver is a Debian/lenny running 9.6.ESV.R4, the two other nameservers are Debian/squeeze running 9.7.3. On the affected nameserver, the only configuration with regards to DNSSEC was to add "dnssec-enable yes;" to the named configuration file (and restart it afterwards). Can anyone enlighten me on what I'm doing wrong here? I'd like to iron out this before I submit my keys to my registrar. Cheers Stefan _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users