$TTL 86400
$ORIGIN yoda.domain2.com.
@ 1D IN SOA yoda.domain2.com. admin.domain.com. (
2015021601 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1w ; Expire after 1 week 1w
1h) ; Minimum negative caching of 1 hour
IN NS yoda.domain2.com.
IN NS r2d2.domain2.com.
domain.com. IN TXT v=spf1 mx a:r2d2.domain2.com ~all
domain.com. MX 0 r2d2.domain2.com.
domain.com. IN A 108.61.175.20
www.domain.com. IN A 108.61.175.20
mail.domain.com. IN A 107.191.60.48
imap.domain.com. IN A 107.191.60.48
pop.domain.com. IN A 107.191.60.48
smtp.domain.com. IN A 107.191.60.48
yoda.domain.com. IN A 108.61.190.64
r2d2.domain.com. IN A 107.191.60.48
vader.domain.com IN A 108.61.175.20
r2d2.domain.com. IN AAAA 2001:19f0:7000:8945::64
yoda.domain.com. IN AAAA 2001:19f0:6c00:8141::64
$include /usr/local/etc/namedb/Kdomain.com.zsk.key ; ZSK
$include /usr/local/etc/namedb/Kdomain.com.ksk.key ; KSK
Asked
Active
Viewed 3,298 times
0
mine
- 197
- 1
- 4
- 14
1 Answers
3
The SOA record is at yoda.ex-mailer.com ($ORIGIN yoda.ex-mailer.com. redefines the origin to that).
However, the rest of the zone file seems to contain nyctelecomm.com. records.
Also, you specify the initial origin to dnssec-signzone as nyctelecomm.com.
This seems to be a mismatch which will lead to this kind of error. (The SOA and NS records are supposed to be at the zone apex.)
While the problem with this zone file really isn't DNSSEC related per se, you may want to look into the auto-dnssec maintain functionality of modern BIND versions as an alternative to manually signing with dnssec-signzone.
Håkan Lindqvist
- 33,741
- 5
- 65
- 90