auto update signatures dnssec
fakessh @
fakessh at fakessh.eu
Tue Dec 28 21:15:22 UTC 2010
sorry for the top box on alan clegg
Le lundi 27 décembre 2010 à 08:48 -0500, Alan Clegg a écrit :
> On 12/27/2010 1:07 AM, fakessh wrote:
>
> > good day and merry christmas.
>
> Thanks, and to you as well.
>
> > I just put in place guidelines in bind config to update the signatures
> > dnssec
> > I'm looking for options that require the least amount of maintenace that
> > all updates of signatures are performed without any external intervention
> >
> > i quote my named conf
> >
> > zone "fakessh.eu" {
> > type master;
> > file "/var/named/fakessh.eu.hosts";
> > auto-dnssec maintain;
> > update-policy local;
> > key-directory "/var/named/keyset-fakessh.eu";
> > allow-transfer { 213.251.188.140;87.98.164.164;
> > 195.234.42.1;94.23.59.30; };
> > };
> >
> > is what the guidelines are good options
>
> A bit more interesting is the command that you used to sign the zone.
> When signatures reach 3/4 lifetime, the associated record is
> automatically re-signed.
>
> Additionally, when new keys are made available signatures will created
> based on the timing meta-data in the keys..
>
> Overall, the defaults seem to be "good enough" for nearly everyone.
>
> AlanC
hello responsible bind community.
you gave me the answer, thank you to my question but I am having new
problems.
I encounter errors during the self resignatures
i quote my multiple error :
I do not know what it is
Dec 28 22:04:02 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:02 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: zone r13151.ovh.net/IN: sending
notifies (serial 2010111401)
Dec 28 22:04:02 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:02 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14118 PROTO=UDP SPT=41425 DPT=53 LEN=128
Dec 28 22:04:02 r13151 named-sdb[24511]: zone fakessh.eu/IN: setting
keywarntime to 1294213060 - 7 days
Dec 28 22:04:03 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14119 PROTO=UDP SPT=35445 DPT=53 LEN=128
Dec 28 22:04:03 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:03 r13151
named-sdb[24511]: /var/named/fakessh.eu.hosts.jnl: create: permission
denied
Dec 28 22:04:03 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:03 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/64823: file not found
Dec 28 22:04:04 r13151
named-sdb[24511]: /var/named/nicolaspichot.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:04 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_db_getsigningtime -> not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/57237: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:04 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
setting keywarntime to 1294212898 - 7 days
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:05 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:05 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:05 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_db_getsigningtime -> not found
Dec 28 22:04:05 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
>
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101228/8ccaac9e/attachment.bin>
More information about the bind-users
mailing list