On 21 Jan 2019, at 13:49, Mark Andrews <ma...@isc.org> wrote: Thanks for the info on the first two questions.
>> Third, what does “not at top of zone” mean in dnssec-verify? > > Some record that should have been at the zone’s apex (name) wasn’t. Either > you passed the wrong > zone name to dnssec-verify or you have put records in the wrong place in the > zone. OK, named-checkzone returns "OK" but the dnssec-verify complains about not at top of zone. Ah, wait, no, I was doing it wrong. Now both commands return success, but after reloading bind and trying to query localhost for the DNSEC information it returns nothing. I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone record in name.conf and now everything is behaving as expected when I query localhost for the DNSSEC info. (I know this is not complete until I update the records at the registrar, but I am not ready to do that). Which brings up one more question, what sort of maintenance/renewal process do I need to implement, if any? Once the zone is signed I assume that signature expires at some point. when I edit the conf file, I will have to manually regenerate the sonf.signed file since I had to remove "auto-dnssec maintain", yes? -- 'You know the worst of it?' said Rincewind. 'Oook?' 'I don't even remember walking under a mirror.' --Mort _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users