I am trying to get DNSSEC up and running, but I'm having some difficulties getting it working.
I am running BIND 9.14.2 (on Windows of all things). BIND is working fine and there's have a number of zones in production on these servers. I just cant seem to get my test zone signed for some reason. Unsure why.
Here's what I have done so far. I have created a new zone called test.com. For this I have generated a pair of keys:
The Key Signing Key:
dnssec-keygen -a RSASHA256 -f KSK -K "d:\zonekeys" test.com
And the Zone Signing Key:
dnssec-keygen -a RSASHA256 -K d:\zonekeys\ test.com
They both exist on disk and looks alright.
d:\zonekeys\Ktest.com.+008+44385.key
d:\zonekeys\Ktest.com.+008+44385.private
d:\zonekeys\Ktest.com.+008+47869.key
d:\zonekeys\Ktest.com.+008+47869.private
The zone is configured as such...
zone test.com {
type master;
file "test.com.zone";
key-directory "d:\zonekeys";
auto-dnssec maintain;
inline-signing yes;
};
The zone is working and I can DIG it just fine. It just has no DNSSEC response.
The questions is why? I have ensured that eDNS is enabled. Zone has been updated. BIND restarted, rndc reload and all that. It just acts as if there's no DNSSEC at all.
A test.com.zone.signed file has been generated and exist as a binary file of sorts. I suspect that it is beeing served, but simply doesn't contain any signed data. Should it contain signed data? As I understand "inline-signing" means that it should sign the zone "on the fly" when served.
What am I missing here? Why am I not getting any DNSSEC signed response?
