When configuring DNSSEC, it’s common you will run into the following error. Here’s how to get it fixed.
dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0.
The above can indicate that no active DNSKEY could be found. Will happen if you set your Public/Activate in the future, but try to sign your zones already. As a result, the dnssec-signzone command will not find any active keys, and fail to hash all values.
To make sure, check your current keys and verify their Publis & Activate dates.
/usr/local/sbin/dnssec-signzone \
-v 0 \
-K /var/named/chroot/var/named/keychains/domain.tld/ \
-e now+1209600 \
-o bjornborgshop.be \
-3 4326a99f \
-H 5 \
-S /var/named/chroot/var/named/master/data/domain.tld