26 Bře
2014
26 Bře
'14
11:03
Huh,
maybe I've found an error - I copied to knot unsigned zone (but named
signed it before and propagate it as a .signed zone). But knot signed
the unsigned zone and propagate it as knot's signed zone has a diferent
lifetime - SOA record. See "http://dnsviz.net/d/fnhk.cz/UzKZgg/dnssec/".
As I can see, there are two signs of SOA records. One "older", that was
signed by bind on Monday that is somewhere in the dns cache.
Second, "newer" SOA record is Knot's signing from today.
So I thing that the problem disapears after record's lifetime. Is it
right ?
But how to prevent this "double" record problem ? Or did I've use
Bind's
signed zone for Knot ?
Thanks and best regards
Josef Karliak.
Hi there,
I migrated our primary DNS from Bind to Knot. I runned some tests by
nic.cz's dnscheck, but there is an error:
DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
key 1: keytag does not match key 2:RSA Verification failed
Link to test:
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
Knot doesn't complains to anything in the system log, fnhk.cz zone is
succefully signed.
What did I missed ?
Thanks and best regards
J.Karliak.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users