$TTL 86400
$ORIGIN yoda.domain2.com.
@ 1D IN SOA yoda.domain2.com. admin.domain.com. (
2015021601 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1w ; Expire after 1 week 1w
1h) ; Minimum negative caching of 1 hour
IN NS yoda.domain2.com.
IN NS r2d2.domain2.com.
domain.com. IN TXT v=spf1 mx a:r2d2.domain2.com ~all
domain.com. MX 0 r2d2.domain2.com.
domain.com. IN A 108.61.175.20
www.domain.com. IN A 108.61.175.20
mail.domain.com. IN A 107.191.60.48
imap.domain.com. IN A 107.191.60.48
pop.domain.com. IN A 107.191.60.48
smtp.domain.com. IN A 107.191.60.48
yoda.domain.com. IN A 108.61.190.64
r2d2.domain.com. IN A 107.191.60.48
vader.domain.com IN A 108.61.175.20
r2d2.domain.com. IN AAAA 2001:19f0:7000:8945::64
yoda.domain.com. IN AAAA 2001:19f0:6c00:8141::64
$include /usr/local/etc/namedb/Kdomain.com.zsk.key ; ZSK
$include /usr/local/etc/namedb/Kdomain.com.ksk.key ; KSK
Dnssec-signzone error ‘not at top of zone’ for a hosted domain
binddns-zonednssecdomain-name-system
Best Answer
The
SOA
record is atyoda.ex-mailer.com
($ORIGIN yoda.ex-mailer.com.
redefines the origin to that).However, the rest of the zone file seems to contain
nyctelecomm.com.
records. Also, you specify the initial origin todnssec-signzone
asnyctelecomm.com
.This seems to be a mismatch which will lead to this kind of error. (The
SOA
andNS
records are supposed to be at the zone apex.)While the problem with this zone file really isn't DNSSEC related per se, you may want to look into the
auto-dnssec maintain
functionality of modern BIND versions as an alternative to manually signing withdnssec-signzone
.