9

opensuse LEAP 15.6
linux v6.4.0-150600.23.47-default x86_64
BIND 9.18.33

I have tried various changes to the SOA record in named.conf. I do not understand what is missing or incorrect. The only thing a web search has shown about a "zone apex" is that it is a Good Thing. And that NXRRSET is like NODATA only more specific.

$ sudo dnssec-signzone -g -o sma-inc.us -z Ksma-inc.us.+008+56113.key sma-inc.us.hosts
dnssec-signzone: fatal: failed to find an SOA at the zone apex: NXRRSET

Following the SOA record are a number of RRSIGs, 14 of them. They did not seem relevant to the SOA itself.

$ORIGIN sma-inc.us.
$TTL 38400      ; 10 hours 40 minutes
@               IN SOA  ns1.sma-inc.us. admin.sohnen-moe.com. (
                                2025022748 ; serial
                                600        ; refresh (10 minutes)
                                60         ; retry (1 minute)
                                86400      ; expire (1 day)
                                300        ; minimum (5 minutes)
                                )
jimoe
  • 95

1 Answers1

14

What is missing from this SOA?

Nothing.

The order of your dnssec-signzone command line arguments is incorrect.

It should be options zonefile key where you appear to be using options key zonefile.

That leads to parsing your key file as a DNS zone which obviously fails. The error message is cryptic but should be interpreted as “you’re saying this file should be a DNS zone file but it doesn’t contain the elements expected. For starters there is no SOA record.”

Try

sudo dnssec-signzone -g -o sma-inc.us -z sma-inc.us.hosts Ksma-inc.us.+008+56113.key
HBruijn
  • 84,206
  • 24
  • 145
  • 224