named is not finding the keys for DNSSEC
Andreas Meyer
a.meyer at nimmini.de
Wed Aug 3 22:22:56 UTC 2016
Hello!
That makes no difference.
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
I think it must have something to do with the name itself, could it be?
The key is named Kbitcorner.de.+005+16938.private but named is looking for
a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
There are also other private keys in the keysfolder but named complains
about these two private keys only. All privates have permissions -rw-------
Aug 4 00:09:22 bitmachine1 named[8460]: running
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: sending notifies (serial 2016080306)
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: reconfiguring zone keys
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: next key event: 04-Aug-2016 01:09:22.432
Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
means.
Meanwhile I was able to sign the zones, the error remains.
Greetings
Andreas
Volker Janzen <volker at janzen.onl> schrieb am 03.08.16 um 17:58:46 Uhr:
> Hi,
>
> you need to 'chown named' the keyfiles. The bind process is unable to read the files belonging to root.
>
>
> Regards
> Volker
>
>
> > Am 03.08.2016 um 18:33 schrieb Andreas Meyer <a.meyer at nimmini.de>:
> >
> > Hello!
> >
> > Just subscribed to the list. I wanted to implement DNSSEC
> > with bind but have not luck with this one.
> >
> > When named starts it says it can't read the private keys.
> >
> > dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
> > dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
> >
> > The keyfolder looks like this:
> >
> > -rw-r--r-- 1 root root 433 3. Aug 17:32 Kbitcorner.de.+005+16938.key
> > -rw------- 1 root root 1010 3. Aug 17:32 Kbitcorner.de.+005+16938.private
> > -rw-r--r-- 1 root root 607 3. Aug 17:33 Kbitcorner.de.+005+20464.key
> > -rw------- 1 root root 1774 3. Aug 17:33 Kbitcorner.de.+005+20464.private
> > -rw-r--r-- 1 named named 728 3. Aug 17:39 managed-keys.bind
> > -rw-r--r-- 1 named named 512 3. Aug 17:39 managed-keys.bind.jnl
> >
> > # ps aux |grep named
> > named 1458 0.0 1.1 186264 23896 ? Ssl 17:38 0:00 /usr/sbin/named -u named
> >
> > Signing of a domain fails:
> >
> > # dnssec-signzone -K /var/lib/named/keys -e +3024000 -N INCREMENT master/bitcorner.de.zone
> > dnssec-signzone: fatal: No signing keys specified or found.
> >
> > I'm confused. Why does named look for a key bitcorner.de/RSASHA1/16938 althoug it is
> > named Kbitcorner.de.+005+16938.private ?
> >
> > I took named out of the chroot but that changes nothing.
> >
> > Glad about every hint!
> >
> > Andreas
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list