On 21 Jan 2019, at 13:49, Mark Andrews <ma...@isc.org> wrote:

Thanks for the info on the first two questions.

>> Third, what does “not at top of zone” mean in dnssec-verify?
> 
> Some record that should have been at the zone’s apex (name) wasn’t.  Either 
> you passed the wrong
> zone name to dnssec-verify or you have put records in the wrong place in the 
> zone.

OK, named-checkzone returns "OK" but the dnssec-verify complains about not at 
top of zone. 

Ah, wait, no, I was doing it wrong.

Now both commands return success, but after reloading bind and trying to query 
localhost for the DNSEC information it returns nothing.

I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone 
record in name.conf and now everything is behaving as expected when I query 
localhost for the DNSSEC info. (I know this is not complete until I update the 
records at the registrar, but I am not ready to do that).

Which brings up one more question, what sort of maintenance/renewal process do 
I need to implement, if any? Once the zone is signed I assume that signature 
expires at some point. when I edit the conf file, I will have to manually 
regenerate the sonf.signed file since I had to remove "auto-dnssec maintain", 
yes?

-- 
'You know the worst of it?' said Rincewind.
'Oook?'
'I don't even remember walking under a mirror.' --Mort

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to