bind 9.7.1 tries to automatically resign non-dynamic zones
Paul B. Henson
henson at acm.org
Sun Aug 29 17:43:12 UTC 2010
We're prototyping dnssec with bind 9.7.1, and ran into a strange issue
where it looks like bind is trying to automatically resign non-dynamic
zones when the signatures are going to expire.
Our zones are signed by an external process, and all bind is supposed to do
is serve them 8-/. Zones are signed whenever contents change, or at least
monthly to prevent the signatures from expiring. One of the zones hadn't
been changed all month so far, and the signatures were only valid for 7
more days, when suddenly these errors popped up in the logs:
Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/19218: file not found
Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/10476: file not found
Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/60885: file not found
Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/60649: file not found
Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/18097: file not found
Aug 28 10:33:37 atlas named[4001]:
/var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied
Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external:
zone_resigninc:dns_journal_open -> unexpected error
Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external:
sending notifies (serial 2010080101)
Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/19218: file not found
Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/10476: file not found
Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/60885: file not found
Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/60649: file not found
Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
private key file calpolypomona.org/RSASHA256/18097: file not found
Aug 28 10:33:53 atlas named[4001]:
/var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied
Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external:
zone_resigninc:dns_journal_open -> unexpected error
Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external:
sending notifies (serial 2010080102)
[...]
Aug 28 10:35:14 atlas named[4001]: zone calpolypomona.org/IN/external:
setting keywarntime to 1283664914 - 7 days
It seems like it noticed there were only 7 days of signature validity left,
and decided it would just go ahead and resign. The zones are *not* dynamic,
the bind service account (as demonstrated by the permission denied errors)
doesn't even have write permission on the directories in which the zone
files are stored. The authoritative serial in the file on disk is
2010080100, yet it started bumping the serial on the zone in memory higher
(and passing that on to the secondaries, which would have broken any actual
updates that might have been performed).
>From reviewing the manual, this behavior should only occur if the zones are
dynamic, *and* auto-dnssec in enabled, neither is true.
Bug?
Thanks...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users
mailing list