> On 08 Feb 2021, at 07:24, Matthijs Mekking <matth...@isc.org> wrote:
> Hi,
> On 08-02-2021 12:20, @lbutlr wrote:
>> I feel I am getting close. I got the digest generated for hover.com and 
>> updated the DNS on the test zone, but I am getting errors on verify that I 
>> don't understand.
>> #v+
>> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
>> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
>> Verifying the zone using the following algorithms:
>> - ECDSAP256SHA256
>> Missing ZSK for algorithm ECDSAP256SHA256
>> Missing NSEC record for blog.example.com
>> Missing NSEC record for wiki.example.com
>> Missing NSEC record for foobar.example.com
>> Missing NSEC record for barfoo.example.com
>> The zone is not fully signed for the following algorithms:
>>  vECDSAP256SHA256
>> .
>> DNSSEC completeness test failed.NSSEC completeness test failed.
>> #v-
>> The missing ZSK is throwing me, and I don't know what to add to my zone 
>> record for NSEC. I am following along (trying) with 
>> https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no 
>> mention of this, but shows NSEC showing up in the output of the signed file.
> Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK.

Thanks, so that is sorted.

> The missing NSEC records are more worrisome.

Oddly, some of the NSEC entries are in the signed zone file (well, I assume 
that is what this means):

RRSIG   NSEC 13 2 3600
NSEC    wiki.example.com. CNAME RRSIG NSEC
RRSIG   NSEC 13 3 3600 (

)all the subdomains are CNAME

And some other occurrences of NSEC, but not the home and foobar or barfoo.

>> #v-
>> Is there a way to force rndc/bind to recreate the .signed file? If I move it 
>> aside and restart named or rndc reload or rndc reconfig, the signed zone 
>> file is not recreated.
> rndc sign zone

That recreates the .signed.jnl and not the .signed file. No errors are reported.

How you have felt, o men of Athens, at hearing the speeches of my
        accusers, I cannot tell; but I know that their persuasive words
        almost made me forget who I was, such was the effect of the,; and
        yet they have hardly spoken a word of truth.

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list

Reply via email to