DNSSEC: NSEC3 iterations too big for weakest DNSKEY strength

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, October 12, 2014

Follow me on Twitter as @mattiasgeniar

When configuring DNSSEC, it’s common you will run into the following error. Here’s how to get it fixed.

dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0.

The above can indicate that no active DNSKEY could be found. Will happen if you set your Public/Activate in the future, but try to sign your zones already. As a result, the dnssec-signzone command will not find any active keys, and fail to hash all values.

To make sure, check your current keys and verify their Publis & Activate dates.

/usr/local/sbin/dnssec-signzone \
  -v 0 \
  -K /var/named/chroot/var/named/keychains/domain.tld/ \
  -e now+1209600 \
  -o bjornborgshop.be \
  -3 4326a99f \
  -H 5 \
  -S /var/named/chroot/var/named/master/data/domain.tld

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.