Nothing wrong here. The A RRset will be signed with the new key
when it falls due for re-signing as there is a existing RRSIG using
algorithm 8. The SOA was signed as the DNSKEY was added which
required the SOA to be updated as well.
You can force named to re-sign all the RRsets but there is no need
to do that.
Mark
In message <55d3abc4.6090...@networktest.com>, David Newman writes:
> A newly minted ZSK signs a domain's SOA but not its A or MX records.
> What basic config step did I miss?
>
> For the domain 'trikids123.com' I created and installed a new ZSK with a
> key ID of 28053 using these commands:
>
> dnssec-keygen -a 8 -b 1024 trikids123.com
> chown bind:bind * # this is bind910 on FreeBSD 10.1
> chmod o-r *
> rndc loadkeys trikids123.com
>
> No complaints in the log. But then:
>
> - 'dig +dnssec +multi soa trikids123.com' shows the RRset signed by the
> new ZSK (28053).
>
> - 'dig +dnssec +multi a trikids123.com' does not show the RRset signed
> by the new ZSK (28053). Same with a query for the MX record.
>
> The zone's definition in named.conf:
>
> zone "trikids123.com" in {
> type master;
> file "dynamic/trikids123.com/trikids123.com.db";
> allow-query { any; };
> allow-transfer { external-xfer; };
> notify yes;
> key-directory "keys/trikids123.com";
> inline-signing yes;
> auto-dnssec maintain;
> };
>
> Thanks in advance for troubleshooting clues.
>
> dn
>
>
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
