inline dnssec loadkeys fails

John W. Blue john.blue at rrcic.com
Sun Dec 20 02:04:15 UTC 2015 

Brad,

FWIW,  I personally like to reconfig then flush.  Not that it will help you with the issue at hand but for me it keeps any blackholed domains from getting into cache.

John

Sent from Nine<http://www.9folders.com/>

From: Brad S <chronicjoker2u at yahoo.com>
Sent: Dec 19, 2015 6:54 PM
To: bind-users at lists.isc.org;marka at isc.org
Subject: inline dnssec loadkeys fails

I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing? a stuck key?


[\u at yoda:/usr/local/etc/namedb] # rndc flush
[\u at yoda:/usr/local/etc/namedb] # rndc reconfig
[\u at yoda:/usr/local/etc/namedb] # rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
[\u at yoda:/usr/local/etc/namedb] # rndc loadkeys domain.com
[\u at yoda:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domain.com.

[\u at yoda:/usr/local/etc/namedb] # rndc zonestatus domain.com
name: domain.com
type: master
files: /home/mailer-domains/domain.com/domain.com.external
serial: 2015121923
signed serial: 2015121931
nodes: 9
last loaded: Sun, 20 Dec 2015 00:07:01 GMT
secure: no
key maintenance: automatic
next key event: Sun, 20 Dec 2015 01:18:20 GMT
dynamic: yes
frozen: no


error:
20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714 domain.com.'
20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone domain.com/IN/external (signed): enter
20-Dec-2015 01:30:56.735 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update


the keys are present, valid and correct permissions. no other errors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151220/50a63a24/attachment.html>

More information about the bind-users mailing list