DNSSEC signing problem

Nickske00

Verified User
Joined
Nov 30, 2015
Messages
52
Hi all,

Today I installed a new Debian 11 server. When moving some domains I ran into some problems.

Problem 1
dnssec-signzone: fatal: The -r options has been deprecated.

So I edited the dnssec.sh file to remove the -r option and then the error was gone. Please update the script to not use this option when the os is debian 11.

Problem 2
It looks like not all the DS/DLV records are generated when signing a zone. I can't find the error because when I use the dnssec.sh sign domain.com from the CLI there is no error displayed...
Attached files:
dnssec-ok.png => Screenshot from another server, all DS/DLV records present.
dnssec-problem.png => Only one DS record generated for some reason...
 

Attachments

  • dnssec-ok.png
    dnssec-ok.png
    13.4 KB · Views: 4
  • dnssec-problem.png
    dnssec-problem.png
    8.4 KB · Views: 4

Nickske00

Verified User
Joined
Nov 30, 2015
Messages
52
Okay, problem 2 is solved, looks like those records are no longer needed on modern systems, maybe that is why the signtool is no longer generating them. I signed a testdomain today and everything is working again (according to https://dnssec-analyzer.verisignlabs.com ).

Are keys regenerated when restoring a user from backup? Maybe that's why it was erroring yesterday after restore...

So only thing to do for DA developers is removing the -r option for debian 11. :)
 
Top