|Table of Contents|
Add helpful tip here....
Add another really helpful tip here...
$ ls -al /var/lib/opendnssec/unsigned/example.com -rw-r--r-- 1 opendnssec opendnssec 1236207 Dec 17 09:17 /var/lib/opendnssec/unsigned/uvt.nl $ grep ^www /var/lib/opendnssec/unsigned/example.com www IN A 220.127.116.11
The file should exist and contain normal DNS records.
named-checkzone is part of Bind, any other DNS validator should work
Is the signed zonefile in the right place?
$ ls -al /var/lib/opendnssec/signed/example.com -rw-r--r-- 1 opendnssec opendnssec 26783556 Dec 17 13:17 /var/lib/opendnssec/signed/uvt.nl $ grep ^www /var/lib/opendnssec/signed/example.com www.example.com. 3600 IN A 18.104.22.168 www.example.com. 3600 IN RRSIG A 8 3 3600 20121226140702 20121212062213 60069 uvt.nl. dt4JWUe9IWhkk5pMI0M<ABBREVIATED>Im1quqhd1PH0KdLA1jTUhWB04YkRQZov/xsF0us=
If there is no file in that location either 'zonelist.xml' is wrong or the signer is not running. If there are no RRSIGs in the file you are probably looking at the unsigned file.
Is the DNS-server working?
$ dig +short www.example.com @mydnsserver 22.214.171.124
If this fails check if the nameserver is running at all.
The SOA should be the same, if there is a difference, use the higher value
There should be one active KSK.
Preventing this situation is one of the primary purposes of OpenDNSSEC. If this happens you should check that the OpenDNNSEC signer and validator are running. If they are running you should inspect the logs for problems.
$ ods-signer verbosity 6