DNSSEC sign-zone results in fatal failure

I have a working DNS in a VM-env for testing and learning purposes. It's a complete server from root-domain and a couple of subdomains.

I've added

dnssec-enable yes;

into named.conf, and also created the ZSV- and KSK-keys and appended them to one of my subdomains.

I'm trying to take the easy path and only signing one domain. Let's say I have

home.garage.top

as my top- and subdomains, and I want to sign home, and only home. I use

dnssec-signzone -o home.db -N increment -k Khome.garage.top.+005+46921 home.db Khome.garage.top.+005+36051

This should produce a home.db.signed or home.signed but it does not. All I get is

dnssec-signzone: error: dns_master_load: home.db:10: home.garage.top: not at top of zone
dnssec-signzone: fatal: failed loading zone from 'home.db': not at top of zone

What am I doing wrong?

Solution 1:

You are specifying that the origin is home.db (using -o). Is that actually the name of the zone, it sounded like the name of the zone was rather home.garage.top?

That kind of mismatch would fit the kind error message you're getting.

As a general suggestion regarding DNSSEC and BIND, however, I would suggest making use of the built-in functionality for zone maintenance rather than calling dnssec-signzone manually (and scheduling that somehow).

See the auto-dnssec maintain and possibly inline-signing yes settings as well as this guide.