$ ls -al /var/lib/opendnssec/unsigned/example.com -rw-r--r-- 1 opendnssec opendnssec 1236207 Dec 17 09:17 /var/lib/opendnssec/unsigned/uvt.nl $ grep ^www /var/lib/opendnssec/unsigned/example.com www IN A 126.96.36.199
The file should exist and contain normal DNS records.
named-checkzone is part of Bind, any other DNS validator should work
Is the signed zonefile in the right place?
$ ls -al /var/lib/opendnssec/signed/example.com -rw-r--r-- 1 opendnssec opendnssec 26783556 Dec 17 13:17 /var/lib/opendnssec/signed/uvt.nl $ grep ^www /var/lib/opendnssec/signed/example.com www.example.com. 3600 IN A 188.8.131.52 www.example.com. 3600 IN RRSIG A 8 3 3600 20121226140702 20121212062213 60069 uvt.nl. dt4JWUe9IWhkk5pMI0M<ABBREVIATED>Im1quqhd1PH0KdLA1jTUhWB04YkRQZov/xsF0us=
If there is no file in that location either 'zonelist.xml' is wrong or the signer is not running. If there are no RRSIGs in the file you are probably looking at the unsigned file.
Is the DNS-server working?
$ dig +short www.example.com @mydnsserver 184.108.40.206
If this fails check if the nameserver is running at all.
The SOA should be the same, if there is a difference, use the higher value
There should be one active KSK.
Preventing this situation is one of the primary purposes of OpenDNSSEC. If this happens you should check that the OpenDNNSEC signer and validator are running. If they are running you should inspect the logs for problems.
$ ods-signer verbosity 6