named is not finding the keys for DNSSEC

[Tony Finch]

Andreas Meyer <a.meyer at nimmini.de> wrote:
> Tony Finch <dot at dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> >
> > The error message refers to the key ID rather than the filename - in more
> > recent versions it has been clarified to use the actual filename.
>
> Is it possible to look for the filename without upgrading bind or is
> there a fix for this?

There isn't much debug logging in this area so you probably have to use
something like truss or strace.

> > > There are also other private keys in the keysfolder but named complains
> > > about these two private keys only. All privates have permissions -rw-------
> >
> > The error suggests to me that you have a key-directory mismatch, but you
> > seem to have that under control.
>
> hm, after I added
>
>     update-policy local;
>     auto-dnssec maintain;
>
> to another signed zone, bind complains for this one too not finding
> the keys.

That suggets to me that you used dnssec-signzone rather than signing
automatically with named.

(I thought your other error-free zones were being signed by named, so in
those cases it was successfully loading the keys. But if named isn't
signing those zones it isn't trying to load their keys, so the lack of
errors does not tell us anything about the erroneous zone.)

So maybe you don't have key-directory under control after all :-) You
should double check that named is looking in the right place.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Tyne, Dogger, Fisher, German Bight, Humber: Southwesterly, becoming cyclonic
in north Fisher, 5 to 7, veering westerly or northwesterly 5 or 6 later.
Moderate or rough, becoming slight or moderate. Showers. Good.