named is not finding the keys for DNSSEC

Andreas Meyer a.meyer at nimmini.de
Wed Aug 3 22:22:56 UTC 2016 

Hello!

That makes no difference.

dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found

I think it must have something to do with the name itself, could it be?

The key is named Kbitcorner.de.+005+16938.private but named is looking for
a key named bitcorner.de/RSASHA1/16938 or is it just substituting?

There are also other private keys in the keysfolder but named complains
about these two private keys only. All privates have permissions -rw-------

Aug  4 00:09:22 bitmachine1 named[8460]: running
Aug  4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: sending notifies (serial 2016080306)
Aug  4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: reconfiguring zone keys
Aug  4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
Aug  4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
Aug  4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: next key event: 04-Aug-2016 01:09:22.432

Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
means.

Meanwhile I was able to sign the zones, the error remains.

Greetings

  Andreas

Volker Janzen <volker at janzen.onl> schrieb am 03.08.16 um 17:58:46 Uhr:

> Hi,
> 
> you need to 'chown named' the keyfiles. The bind process is unable to read the files belonging to root.
> 
> 
> Regards
>     Volker
> 
> 
> > Am 03.08.2016 um 18:33 schrieb Andreas Meyer <a.meyer at nimmini.de>:
> > 
> > Hello!
> > 
> > Just subscribed to the list. I wanted to implement DNSSEC
> > with bind but have not luck with this one.
> > 
> > When named starts it says it can't read the private keys.
> > 
> > dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
> > dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
> > 
> > The keyfolder looks like this:
> > 
> > -rw-r--r-- 1 root  root   433  3. Aug 17:32 Kbitcorner.de.+005+16938.key
> > -rw------- 1 root  root  1010  3. Aug 17:32 Kbitcorner.de.+005+16938.private
> > -rw-r--r-- 1 root  root   607  3. Aug 17:33 Kbitcorner.de.+005+20464.key
> > -rw------- 1 root  root  1774  3. Aug 17:33 Kbitcorner.de.+005+20464.private
> > -rw-r--r-- 1 named named  728  3. Aug 17:39 managed-keys.bind
> > -rw-r--r-- 1 named named  512  3. Aug 17:39 managed-keys.bind.jnl
> > 
> > # ps aux |grep named
> > named     1458  0.0  1.1 186264 23896 ?        Ssl  17:38   0:00 /usr/sbin/named -u named
> > 
> > Signing of a domain fails:
> > 
> > # dnssec-signzone -K /var/lib/named/keys -e +3024000 -N INCREMENT master/bitcorner.de.zone
> > dnssec-signzone: fatal: No signing keys specified or found.
> > 
> > I'm confused. Why does named look for a key bitcorner.de/RSASHA1/16938 althoug it is
> > named Kbitcorner.de.+005+16938.private ?
> > 
> > I took named out of the chroot but that changes nothing.
> > 
> > Glad about every hint!
> > 
> > Andreas
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list