Eu tive um vencimento do dnssec e, depois de refazer tudo, recebi o seguinte erro Nenhum RRSIG encontrado na depuração do verisign
Estes são os passos exatos que uso para produzir a chave e as assinaturas. Que passo eu senti falta?
etapas:
emailer1 opendkim # dnssec-keygen -f KSK -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE nyctelecomm.com
Generating key pair...............+++ ...................+++
Knyctelecomm.com.+008+63409
emailer1 opendkim # dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE nyctelecomm.com
Generating key pair............+++ ...............+++
Knyctelecomm.com.+008+30369
emailer1 opendkim # ls
keys nyctelecomm.com.external
KeyTable old
Knyctelecomm.com.+008+30369.key opendkim.conf
Knyctelecomm.com.+008+30369.private SigningTable
Knyctelecomm.com.+008+63409.key TrustedHosts
Knyctelecomm.com.+008+63409.private
emailer1 opendkim # mv Knyctelecomm.com.+008+63409.key Knyctelecomm.com.ksk.key
emailer1 opendkim # mv Knyctelecomm.com.+008+63409.private Knyctelecomm.com.ksk.private
emailer1 opendkim # mv Knyctelecomm.com.+008+30369.key Knyctelecomm.com.zsk.key
emailer1 opendkim # mv Knyctelecomm.com.+008+30369.private Knyctelecomm.com.zsk.private
emailer1 opendkim # ls
keys Knyctelecomm.com.zsk.key opendkim.conf
KeyTable Knyctelecomm.com.zsk.private SigningTable
Knyctelecomm.com.ksk.key nyctelecomm.com.external TrustedHosts
Knyctelecomm.com.ksk.private old
emailer1 opendkim # nano nyctelecomm.com.external
emailer1 opendkim # pwd
/etc/opendkim
emailer1 opendkim # nano nyctelecomm.com.external
emailer1 opendkim # dnssec-signzone -e20150330000000 -p -t -g -k Knyctelecomm.com.ksk.key -o nyctelecomm.com nyctelecomm.com.external Knyctelecomm.com.zsk.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 0 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 1 stand-by, 0 revoked
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
nyctelecomm.com.external.signed
Signatures generated: 35
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.052
Signatures per second: 662.790
Runtime in seconds: 0.058
emailer1 opendkim # ls
dnssec-technotes.txt Knyctelecomm.com.ksk.private old
dsset-nyctelecomm.com. Knyctelecomm.com.zsk.key opendkim.conf
keys Knyctelecomm.com.zsk.private SigningTable
KeyTable nyctelecomm.com.external TrustedHosts
Knyctelecomm.com.ksk.key nyctelecomm.com.external.signed
emailer1 pri # dnssec-dsfromkey -1 -f nyctelecomm.com.external.signed nyctelecomm.com
nyctelecomm.com. IN DS 57076 8 1 E597070570CCDAF5407B6E688D2B55A708D7BE43
E então eu atualizo o godaddy para refletir o novo DS
Tags domain-name-system dnssec