[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-users
Subject:    Re: ZSKs sign some RRsets but not others
From:       Mark Andrews <marka () isc ! org>
Date:       2015-08-18 22:20:34
Message-ID: 20150818222034.51F69354B261 () rock ! dv ! isc ! org
[Download RAW message or body]


Nothing wrong here.  The A RRset will be signed with the new key
when it falls due for re-signing as there is a existing RRSIG using
algorithm 8.  The SOA was signed as the DNSKEY was added which
required the SOA to be updated as well.

You can force named to re-sign all the RRsets but there is no need
to do that.

Mark

In message <55D3ABC4.6090402@networktest.com>, David Newman writes:
> A newly minted ZSK signs a domain's SOA but not its A or MX records.
> What basic config step did I miss?
> 
> For the domain 'trikids123.com' I created and installed a new ZSK with a
> key ID of 28053 using these commands:
> 
> dnssec-keygen -a 8 -b 1024 trikids123.com
> chown bind:bind *   # this is bind910 on FreeBSD 10.1
> chmod o-r *
> rndc loadkeys trikids123.com
> 
> No complaints in the log. But then:
> 
> - 'dig +dnssec +multi soa trikids123.com' shows the RRset signed by the
> new ZSK (28053).
> 
> - 'dig +dnssec +multi a trikids123.com' does not show the RRset signed
> by the new ZSK (28053). Same with a query for the MX record.
> 
> The zone's definition in named.conf:
> 
> 	zone "trikids123.com" in {
>  		type master;
>  		file "dynamic/trikids123.com/trikids123.com.db";
> 		allow-query { any; };
> 		allow-transfer { external-xfer; };
> 		notify yes;
> 		key-directory "keys/trikids123.com";
> 		inline-signing yes;
> 		auto-dnssec maintain;
> 	};
> 
> Thanks in advance for troubleshooting clues.
> 
> dn
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic