auto update signatures dnssec

fakessh @ fakessh at fakessh.eu
Tue Dec 28 21:15:22 UTC 2010 

sorry for the top box on alan clegg
Le lundi 27 décembre 2010 à 08:48 -0500, Alan Clegg a écrit :
> On 12/27/2010 1:07 AM, fakessh wrote:
> 
> > good day and merry christmas.
> 
> Thanks, and to you as well.
> 
> > I just put in place guidelines in bind config to update the signatures
> > dnssec
> > I'm looking for options that require the least amount of maintenace that
> > all updates of signatures are performed without any external intervention
> > 
> > i quote my named conf
> > 
> > zone "fakessh.eu" {
> >         type master;
> >         file "/var/named/fakessh.eu.hosts";
> >         auto-dnssec maintain;
> >         update-policy local;
> >         key-directory "/var/named/keyset-fakessh.eu";
> >         allow-transfer {  213.251.188.140;87.98.164.164;
> > 195.234.42.1;94.23.59.30; };
> >         };
> > 
> > is what the guidelines are good options
> 
> A bit more interesting is the command that you used to sign the zone.
> When signatures reach 3/4 lifetime, the associated record is
> automatically re-signed.
> 
> Additionally, when new keys are made available signatures will created
> based on the timing meta-data in the keys..
> 
> Overall, the defaults seem to be "good enough" for nearly everyone.
> 
> AlanC


hello responsible bind community. 

you gave me the answer, thank you to my question but I am having new
problems. 

I encounter errors during the self resignatures

i quote my multiple error :

I do not know what it is


Dec 28 22:04:02 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:02 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error 
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: zone r13151.ovh.net/IN: sending
notifies (serial 2010111401)
Dec 28 22:04:02 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error 
Dec 28 22:04:02 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14118 PROTO=UDP SPT=41425 DPT=53 LEN=128 
Dec 28 22:04:02 r13151 named-sdb[24511]: zone fakessh.eu/IN: setting
keywarntime to 1294213060 - 7 days
Dec 28 22:04:03 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14119 PROTO=UDP SPT=35445 DPT=53 LEN=128 
Dec 28 22:04:03 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:03 r13151
named-sdb[24511]: /var/named/fakessh.eu.hosts.jnl: create: permission
denied
Dec 28 22:04:03 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_journal_open -> unexpected error 
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:03 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/64823: file not found
Dec 28 22:04:04 r13151
named-sdb[24511]: /var/named/nicolaspichot.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:04 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_db_getsigningtime -> not found 
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/57237: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error 
Dec 28 22:04:04 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
setting keywarntime to 1294212898 - 7 days
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:05 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:05 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:05 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_db_getsigningtime -> not found 
Dec 28 22:04:05 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error 




> 
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101228/8ccaac9e/attachment.bin>

More information about the bind-users mailing list