You do not ship dns_signer, the application needed to generate a Secure DNS Zone (as per DNSSEC), as part of the standard bind package. It is part of the contrib section of BIND 8.2.2, but it does not get built as part of the current bind rpm build process. Without dns_signer, you cannot generate a DNSSEC Secure Zone file. Could you please build the dns_signer and also ship it with the Bind RPM? -derek
Please correct me if I'm wrong, but I understood that the DNSSEC protocols use RSA-MD5 signatures, which require use of a patented algorithm.
We'll probably "fix" this some time after the RSA patent expired. #include <patents/suck.h>
FYI, RSADSI has given a license to BIND specifically to enable the distribution of SecureDNS. If you'd like I can go find you the relevant websites that have the license information, but a web search of DNS RSA and License should find it. In particular, John Gilmore was instrumental in obtaining such a license.
I think this is all sorted with bind 9.1, as RSA has expired and bind now uses OpenSSL. (The SecureDNS licence, from what I remember, was not strictly 'Open Source')