2

I have a working DNS in a VM-env for testing and learning purposes. It's a complete server from root-domain and a couple of subdomains.

I've added

dnssec-enable yes;

into named.conf, and also created the ZSV- and KSK-keys and appended them to one of my subdomains.

I'm trying to take the easy path and only signing one domain. Let's say I have

home.garage.top

as my top- and subdomains, and I want to sign home, and only home. I use

dnssec-signzone -o home.db -N increment -k Khome.garage.top.+005+46921 home.db Khome.garage.top.+005+36051

This should produce a home.db.signed or home.signed but it does not. All I get is 

dnssec-signzone: error: dns_master_load: home.db:10: home.garage.top: not at top of zone
dnssec-signzone: fatal: failed loading zone from 'home.db': not at top of zone

What am I doing wrong?

Joakim Hellström
  • 77
  • 1
  • 11

1 Answers1

4

You are specifying that the origin is home.db (using -o). Is that actually the name of the zone, it sounded like the name of the zone was rather home.garage.top?

That kind of mismatch would fit the kind error message you're getting.


As a general suggestion regarding DNSSEC and BIND, however, I would suggest making use of the built-in functionality for zone maintenance rather than calling dnssec-signzone manually (and scheduling that somehow).

See the auto-dnssec maintain and possibly inline-signing yes settings as well as this guide.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Thanks. That got rid of the "top of zone"-message. Not it seems like the key file (ZSV) cannot be found. I'll try to handle that on my own. Thanks a lot. – Joakim Hellström Dec 28 '14 at 14:36