[Opendnssec-develop] Re: [OpenDNSSEC] #71: Auditor blocks domain signing entirely
matthijs at NLnetLabs.nl
Wed Jan 6 14:06:04 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
Rick van Rein wrote:
>> Works for me:
>> I let one zone constantly fail, the others end up in the signed directory
> Are you talking about freshly added domains, or previously existing ones?
I started from scratch. I did not try to add new domains later on.
> I'm trying to think what was different in my case. Could the following
> perhaps be an explanation?
> I may have been adding more domains than I had keys ready. (Not sure how
> that works exactly, we only have howto documentation online.)
> A zone was signed with the last keys available. It had a problem and so
> failed to pass through to the signed state.
> The lack of further keys blocked the additional domains until more keys
> were made available.
Could be. Doesn't the log say why zones failed signing? Could you
provide the logs?
> If that sort of thing can happen, it's an understandable explanation
> to me. Otherwise, I might try adding yet another bunch of domains, with
> a "IN CNAME @" record in the first.
I don't think you can have an @ at the right side of a CNAME, correct me
if I'm wrong.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop