我正在尝试签署 NSD 区域,但出现以下错误,我不明白原因:
$ dnssec-keygen -a ed25519 -3 -K /etc/dnssec/mykeys/ example.com
Generating key pair.
Kexample.com.+015+06293
$ dnssec-signzone -S -K /etc/dnssec/mykeys/ /var/lib/nsd/example.com.zone
dnssec-signzone: error: dns_master_load: example.com.zone:3: example.com: not at top of zone
dnssec-signzone: fatal: failed loading zone from '/var/lib/nsd/example.com.zone': not at top of zone
我有以下区域:
$ORIGIN example.com.
$TTL 1800
@ IN SOA ns.example.com. admin.example.com. (
20210324
3600
900
1209600
1800
)
srv IN A 94.23.xx.xx
srv IN AAAA 2001:xx:xx::
ns IN CNAME srv.example.com.
@ IN NS ns.example.com.
答案1
我相信您只是想使用该-o zonename选项,因为文件名与区域名称不同(-o不使用时的默认假设)。
错误似乎是关于SOA记录不在区域的顶点,这似乎是有道理的,因为example.com≠ example.com.zone。