inline dnssec loadkeys fails

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

inline dnssec loadkeys fails

Brad S
I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing? a stuck key?

[\u@yoda:/usr/local/etc/namedb] # rndc flush
[\u@yoda:/usr/local/etc/namedb] # rndc reconfig
[\u@yoda:/usr/local/etc/namedb] # rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
[\u@yoda:/usr/local/etc/namedb] # rndc loadkeys domain.com
[\u@yoda:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domain.com.

[\u@yoda:/usr/local/etc/namedb] # rndc zonestatus domain.com
name: domain.com
type: master
files: /home/mailer-domains/domain.com/domain.com.external
serial: 2015121923
signed serial: 2015121931
nodes: 9
last loaded: Sun, 20 Dec 2015 00:07:01 GMT
secure: no
key maintenance: automatic
next key event: Sun, 20 Dec 2015 01:18:20 GMT
dynamic: yes
frozen: no


error:
20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714 domain.com.'
20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone domain.com/IN/external (signed): enter
20-Dec-2015 01:30:56.735 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update

the keys are present, valid and correct permissions. no other errors

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: inline dnssec loadkeys fails

John W. Blue
Brad,

FWIW,  I personally like to reconfig then flush.  Not that it will help you with the issue at hand but for me it keeps any blackholed domains from getting into cache.

John

Sent from Nine

From: Brad S <[hidden email]>
Sent: Dec 19, 2015 6:54 PM
To: [hidden email];[hidden email]
Subject: inline dnssec loadkeys fails

I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing? a stuck key?

[\u@yoda:/usr/local/etc/namedb] # rndc flush
[\u@yoda:/usr/local/etc/namedb] # rndc reconfig
[\u@yoda:/usr/local/etc/namedb] # rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
[\u@yoda:/usr/local/etc/namedb] # rndc loadkeys domain.com
[\u@yoda:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domain.com.

[\u@yoda:/usr/local/etc/namedb] # rndc zonestatus domain.com
name: domain.com
type: master
files: /home/mailer-domains/domain.com/domain.com.external
serial: 2015121923
signed serial: 2015121931
nodes: 9
last loaded: Sun, 20 Dec 2015 00:07:01 GMT
secure: no
key maintenance: automatic
next key event: Sun, 20 Dec 2015 01:18:20 GMT
dynamic: yes
frozen: no


error:
20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714 domain.com.'
20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone domain.com/IN/external (signed): enter
20-Dec-2015 01:30:56.735 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update

the keys are present, valid and correct permissions. no other errors

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users