February 27th, 2012, 05:50 PM
BIND DNS domain key corrupt, please help
I am currently running
BIND 9.8 on Windows 2008 server in a virtual environment online. I administer DNS through a Plesk 10.4 interface which I believe carries out a form of dynamic update to the BIND DNS server itself. I am running it as a Authoritative only Domain name server.
My supplier signed my zone for me and all was fine until I found that the Plesk panel would not allow me to create a SPF and the TXT equivalent in fact I found all it would do was create a TXT version of the SPF entry in the zone.
Anyway long story short I edited the zone file in the root of the BIND install and now my zone domain key sig is being reported as invalid so my question is how do i fix this is there a command to resign the zone simply or do I need to carry out the entire zone signing process again from BIND.
February 27th, 2012, 06:24 PM
You need to resign the zone after any changes. You don't need to update or change the DS records unless the keys you use to sign with change. I'm not too familiar with Windows but BIND should have the command "nsupdate". This will allow you to modify the zone and it will resign it automatically. It can save you a lot of time. I usually deal with small zones so I prefer to modify the db directly and just resign it. The nsupdate tool makes me nervous. Even though you make successful changes, it doesn't show them to you until you reload anyways.
February 29th, 2012, 12:10 PM
Thanks for your responce CaptPikel I apreciate it.
It turned out to be something else altogether that I was getting confused about. It was the domain-key that was corrupt not the DNSSEC key. I administer SmarterMail on server 2008 using a plesk panel 10.4 and it seems that the control for the email server to sign email on the plesk panel was conflicting with the control to sign email in Smartermail. It appears that when you tick sign all outgoing email in Pleask it tries to use a certificate that must be issued by plesk and not the certificate issued by Smartemail itself for the job so it was obviously failing as the keys didn't match, as soon as I turned off "sign all outgoing email" on the Plesk panel it started using the correct certificate and worked.
Not a DNS issue at all I know but I don't like to just leave a thread open and unfinished and I hope this info may help someone else.