DNSSEC sign-zone results in fatal failure
You are specifying that the origin is home.db (using -o). Is that actually the name of the zone, it sounded like the name of the zone was rather home.garage.top?
That kind of mismatch would fit the kind error message you're getting.
As a general suggestion regarding DNSSEC and BIND, however, I would suggest making use of the built-in functionality for zone maintenance rather than calling dnssec-signzone manually (and scheduling that somehow).
See the auto-dnssec maintain and possibly inline-signing yes settings as well as this guide.
Related videos on Youtube
08 : 48
21 : 34
17 : 02
45 : 44
02 : 12
Joakim Hellström
Student in the art of Computer Science, networking and security.
Updated on September 18, 2022Comments
-
Joakim Hellström almost 2 years
I have a working DNS in a VM-env for testing and learning purposes. It's a complete server from root-domain and a couple of subdomains.
I've added
dnssec-enable yes;into named.conf, and also created the ZSV- and KSK-keys and appended them to one of my subdomains.
I'm trying to take the easy path and only signing one domain. Let's say I have
home.garage.topas my top- and subdomains, and I want to sign home, and only home. I use
dnssec-signzone -o home.db -N increment -k Khome.garage.top.+005+46921 home.db Khome.garage.top.+005+36051This should produce a home.db.signed or home.signed but it does not. All I get is
dnssec-signzone: error: dns_master_load: home.db:10: home.garage.top: not at top of zone dnssec-signzone: fatal: failed loading zone from 'home.db': not at top of zoneWhat am I doing wrong?
-
Joakim Hellström over 9 yearsThanks. That got rid of the "top of zone"-message. Not it seems like the key file (ZSV) cannot be found. I'll try to handle that on my own. Thanks a lot.