I have a working DNS in a VM-env for testing and learning purposes. It's a complete server from root-domain and a couple of subdomains.
I've added
dnssec-enable yes;
into named.conf, and also created the ZSV- and KSK-keys and appended them to one of my subdomains.
I'm trying to take the easy path and only signing one domain. Let's say I have
home.garage.top
as my top- and subdomains, and I want to sign home, and only home. I use
dnssec-signzone -o home.db -N increment -k Khome.garage.top.+005+46921 home.db Khome.garage.top.+005+36051
This should produce a home.db.signed or home.signed but it does not. All I get is
dnssec-signzone: error: dns_master_load: home.db:10: home.garage.top: not at top of zone
dnssec-signzone: fatal: failed loading zone from 'home.db': not at top of zone
What am I doing wrong?