"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

David Newman dnewman at networktest.com
Wed Jul 24 16:58:08 UTC 2013 


On 7/24/13 2:29 AM, Stephane Bortzmeyer wrote:
> I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My
> configuration is:
> 
> options {
>         directory "/tmp/bind";
> 	key-directory "/tmp/bind"; 

Not sure if this is the problem, but have you tried with
"managed-keys-directory" in options instead of "key-directory"?

You would still use "key-directory" in each zone statement.

Per the Bind 9 docs, there's a small difference between the two:

http://dotat.at/tmp/arm98/Bv9ARM.ch06.html

key-directory

    When performing dynamic update of secure zones, the directory where
the public and private DNSSEC key files should be found, if different
than the current working directory. (Note that this option has no effect
on the paths for files containing non-DNSSEC keys such as bind.keys,
rndc.key or session.key.)

managed-keys-directory

    The directory used to hold the files used to track managed keys. By
default it is the working directory. It there are no views then the file
managed-keys.bind otherwise a SHA256 hash of the view name is used with
.mkeys extension added.

dn


> };
> 
> 
> zone "example" {
>         type master;
>         file "example";
> 	inline-signing yes;
>         auto-dnssec maintain;
> };
> 
> Apparently, everything works. The key I created and put in /tmp/bind
> is used, the zone is signed, everyone is happy.
> 
> But I get messages:
> 
> 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures.
> 
> Which I do not understand. They key is there:
> 
> % ls -lt /tmp/bind/Kexample.+008+46747*
> -rw-r--r-- 1 bortzmeyer bortzmeyer  597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key
> -rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private
> 
> And is certainly active:
> 
> % cat /tmp/bind/Kexample.+008+46747.key 
> ; This is a key-signing key, keyid 46747, for example.
> ; Created: 20130723100005 (Tue Jul 23 12:00:05 2013)
> ; Publish: 20130723100005 (Tue Jul 23 12:00:05 2013)
> ; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013)
> ...
> 
> And, despite the message "retaining signatures", signatures *are*
> regenerated periodically, even after the warning:
> 
> example.		600 IN RRSIG DNSKEY 8 1 600 20130725045802 (
> 				20130724043925 46747 example.
> 				rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte
> ...
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list