Bind9.10 inline signing 'loadkeys' failing

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bind9.10 inline signing 'loadkeys' failing

Brad S
This is a repost from 12-19-2015 which appears stuck in the queue:

I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing?
a stuck key?

    # rndc flush
    # rndc reconfig
    # rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
    # rndc loadkeys domain.com
    # rndc signing -nsec3param 1 0 10 03F92714 domain.com.

  
    [\u@yoda:/usr/local/etc/namedb] # rndc zonestatus domain.com
    name: domain.com
    type: master
    files: /home/mailer-domains/domain.com/domain.com.external
    serial: 2015121923
    signed serial: 2015121931
    nodes: 9
    last loaded: Sun, 20 Dec 2015 00:07:01 GMT
    secure: no
    key maintenance: automatic
    next key event: Sun, 20 Dec 2015 01:18:20 GMT
    dynamic: yes
    frozen: no
   
   
    error:
    20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714 domain.com.'
    20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone domain.com/IN/external (signed): enter
    20-Dec-2015 01:30:56.735 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update


the keys are present, valid and correct permissions. no other errors


key generation method:

    subprocess.check_output([ 'dnssec-keygen', '-a', 'RSASHA256', '-b', '2048', '-3', domain.com ])  
    subprocess.check_output([ 'dnssec-keygen', '-a', 'RSASHA256', '-b', '2048', '-3', '-fk', domain.com ])

freebsd-version
10.1-RELEASE-p5

named -v
BIND 9.10.3 <id:2799933>


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users