Попытка заставить DNSSEC работать для зоны.
Программное обеспечение: BIND 9.4.2-P2, ОС Ubuntu 8.04
Пытался подписать зону с помощью ZoneSigner и опубликуйте это на dlv.isc.org, но он жалуется на отсутствие ключа. Ключ показывает при использовании dig dnskey. Домен kristaps.lv
Точное сообщение об ошибке
3.138:DEBUG RUN GET_ADDRESSES: Sending a recursive query for mazais.kristaps.lv A
3.532:DEBUG RUN GET_ADDRESSES: Got response for recursive query mazais.kristaps.lv A NOERRO R
3.533:DEBUG RUN GET_ADDRESSES: Caching address for mazais.kristaps.lv => 92.240.80.54
3.725:DEBUG RUN: Enqueued query 7 to 92.240.80.54 for kristaps.lv DNSKEY
3.725:DEBUG RUN: Got activity for 2, from 92.240.70.1
3.725:DEBUG RUN: Got referral
3.726:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.727:DEBUG RUN: Already have 92.240.80.54 queued
3.727:DEBUG RUN: Got activity for 3, from 194.0.1.24
3.727:DEBUG RUN: Got referral
3.728:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.729:DEBUG RUN: Already have 92.240.80.54 queued
3.729:DEBUG RUN: Got activity for 4, from 83.171.8.137
3.729:DEBUG RUN: Got referral
3.730:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.730:DEBUG RUN: Already have 92.240.80.54 queued
3.730:DEBUG RUN: Got activity for 5, from 193.0.12.121
3.730:DEBUG RUN: Got referral
3.731:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.732:DEBUG RUN: Already have 92.240.80.54 queued
3.732:DEBUG RUN: Got activity for 6, from 192.36.125.2
3.732:DEBUG RUN: Got referral
3.733:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.733:DEBUG RUN: Already have 92.240.80.54 queued
4.223:DEBUG RUN: Got activity for 7, from 92.240.80.54
4.223:DEBUG RUN: Found answer from 92.240.80.54
4.227:SUCCESS 92.240.80.54 answered DNSKEY query with rcode NOERROR
4.227:INFO Total answers: 1
4.228:SUCCESS All DNSKEY responses are identical.
4.236:DEBUG VERIFY-DNSKEY: Checking tag=32656 flags=257 alg=RSASHA1 AwEAAcAo...Qbb+6aKYw8=
4.236:DEBUG VERIFY-DNSKEY: Accepted key.
4.237:DEBUG VERIFY-DNSKEY: Checking tag=58348 flags=257 alg=RSASHA1 AwEAAZbV...HzR2UTmRw0=
4.237:DEBUG VERIFY-DNSKEY: Ignoring key.
4.237:DEBUG VERIFY-DNSKEY: Checking tag=41748 flags=256 alg=RSASHA1 AwEAAeJC...u4rnFt63+RV
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:DEBUG VERIFY-DNSKEY: Checking tag=64185 flags=256 alg=RSASHA1 AwEAAZ/S...x8pRgin/Vq5
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:DEBUG VERIFY-DNSKEY: Checking tag=21258 flags=256 alg=RSASHA1 AwEAAdlD...3Nv3HgYux4D
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:INFO VERIFY-DNSKEY: 5 DNSKEYs found.
4.239:INFO VERIFY-DNSKEY: 1 keys found after filtering.
4.239:DEBUG VERIFY-DNSKEY: Using keys:
4.239:DEBUG VERIFY-DNSKEY: tag=32656 flags=257 alg=RSASHA1 AwEAAcAo...Qbb+6aKYw8=
4.239:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
4.242:FAILURE DNSKEY signature verification failed: Signing key not found
Похоже, вы пытались добавить KSK с id = 32656 в DLV, но вы подписали зону только с KSK 58348.
Вам нужно либо добавить правильный ключ в DLV (id = 58348), либо использовать id = 32656 для подписи DNSKEY RRSET.