When configuring DNSSEC, it’s common you will run into the following error. Here’s how to get it fixed.
dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0.
The above can indicate that no active DNSKEY could be found. Will happen if you set your Public/Activate in the future, but try to sign your zones already. As a result, the dnssec-signzone command will not find any active keys, and fail to hash all values.
To make sure, check your current keys and verify their Publis & Activate dates.
/usr/local/sbin/dnssec-signzone \ -v 0 \ -K /var/named/chroot/var/named/keychains/domain.tld/ \ -e now+1209600 \ -o bjornborgshop.be \ -3 4326a99f \ -H 5 \ -S /var/named/chroot/var/named/master/data/domain.tld