Hejka
Mam problem z podpisaniem pliku strefy. DNS działa, klucze wygenerowane i dodane do pliku strefy:
# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.tld
# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.tld
# cat db.example.tld
$TTL 604800
@ SOA ns1.example.tld. admin.example.tld. (
121020221 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
NS ns1.example.tld.
NS ns2.example.tld.
MX 10 poczta.example.tld.
;
; name servers - A records
A 192.168.4.18
ns1 A 192.168.4.18
ns2 A 192.168.4.19
www A 192.168.4.19
poczta A 192.168.4.19
;
;
; LAN A records
host1 A 192.168.100.101
host2 A 192.168.200.102
$INCLUDE Kexample.tld.+007+36525.key
$INCLUDE Kexample.tld.+007+46728.key
Podczas próby podpisania poleceniem:
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.tld -t db.example.tld
Mam taki komunikat:
dnssec-signzone: warning: EVP_SignFinal failed (failure)
dnssec-signzone: fatal: dnskey 'example.tld/NSEC3RSASHA1/46728' failed to sign data: failure
Ma ktoś pomysł jak to ugryźć ?
Pozdrawiam
Mariusz