[yadifa-users] Is a DNSSEC related bug possible in 2.0.4?

Markus Kolb markus.kolb+yadifa at tower-net.de
Fri Feb 27 10:37:25 CET 2015


I've problems to get DNSSEC to work with 2.0.4.

It's a domain in the de-zone.
The denic has a DNS checker tool at

If I check my signed domain, sometimes it is approved and sometimes I 
get an unexpected exception error 999.
I do not change anything in the meantime.

I've used the tools of bind for generating keys and signing the zone.

dnssec-signzone -v 9 -A -3 b0255d9fc8b8cf81 -o tower-net.de -K 
/var/lib/yadifad/zones/keys -d /var/lib/yadifad/zones/keys -k 
Ktower-net.de.+007+62298.key -N increment -t 
Ktower-net.de.+007+62654.key Ktower-net.de.+007+62298.key

For your info: The example domain is not yet delegated to my domain 
servers. With the denic tool I've specified the domain servers with the 
available signed zones.

Btw. the bind tools are the hell of usability. Why you have to specify 
the KSK 2 times? Isn't it enough to say -k KSK ?! And no warning. Just 
the fully signed zones are not correctly signed. ;-)

Ok. Back to the remaining problem...

In the query log I see different entries when the zone is approved and 
when it is denied.

2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--} 
it-newmedia.de. IN SOA (

2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--} 
it-newmedia.de. IN SOA (

So there is a T-flag when the denic denies my zone.

What does these flags mean? Couldn't find documentation for them.


More information about the yadifa-users mailing list