Hi Peter > Run from the primary what do the following commands return > dig @127.0.0.1 example.com +dnssec > dig @127.0.0.1 example.com soa +dnssec
No dnssec related entries. I revisited https://kb.isc.org/docs/dnssec-key-and-signing-policy and probably got confused by the statement, that only adding: dnssec-policy default; Would get a unsigned zone signed. Hey wait! No dnssec-keygen to create the keys? The default policy specifies what kind of keys to use etc. So maybe I got too far and created keys which were not necessary? Would they be created on the fly by what is specified in the policy? So I went ahead, started over and deleted the keys I had manually created with dnssec-keygen for that zone in /etc/bind/keys which worked for dynamic updates. froze / sync -clean zonefile, delete .signed files. Incremented serial in the plain unsigned file. rndc reconfig rndc thaw zone (unsigned): loaded serial 2007126014 (signed): could not get zone keys for secure dynamic update (signed): serial 2007126014 (unsigned 2007126014) (signed): sending notifies (serial 2007126014) Oh well, it needs the key files - at least for dynamic updates to work. But why is it telling (signed)? Were the keys autocreated? Where? Can't find them in /etc/bind/keys nor in the debian /var/cache/bind directory where the zonefiles reside. rndc signing -list still states "No signing records found" I guess I'm missing some small crucial detail. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
