I'm trying to enable DNSSEC on my authoritative dns Bind machine. So far I've done the following Tutorial :
Generate the KSK and ZSK Keys :
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename
dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename
Include the pub key in the zone and sign the zone :
dnssec-signzone -o zonename -k KSKfile zonefile ZSKfile
Add the signed zone in place of the old one in named.conf
- Restart Bind
I don't know if I've missed something but the registrar that support DNSSEC keep telling me :
Error Signature DNSKEY entries is not valid.
Error Signature SOA entry is not valid.
Does anyone know how to solve this ? Is there any online DNSSEC tool that display more infos about the dnssec status ?
There are three DNSSEC online checkers that I know of:
What's unclear from your question is exactly what you're asking your registrar to do. If you're hosting the domain on your own machine (which appears to be the case) then all you should be sending your registrar is your
DS
record, so that they can send it to the appropriate registry.BTW, did you include both public keys in your zone file before signing it? You only mention one key above in the second bullet point. Apart from that what you've done looks OK.
I feel obligated to answer, as I wrote the tutorial that you are following. :)
Without additional information (the zone name, for example), the error messages that your registrar provided are a bit too generic to provide any clue as to what the actual problem is.
If you provide additional information, I'll see what it looks like from this side...
If you've already solved the problem, I'd be quite interested in what caused the problem.
I manage a list of on-line DNS checking tools, with a special emphasis on DNSSEC.