Automatic RRSIG Refresh in BIND 9.8.2

Mark Andrews marka at isc.org
Wed Jun 14 23:40:41 UTC 2017 

https://kb.isc.org/article/AA-00320/0/Why-cant-named-update-slave-zone-database-files-slave-journal-files-and-master-zones-from-journals-.html

In message <1497474665849-3948.post at n4.nabble.com>, Latitude writes:
> Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2
> handy but thank you for sending the link to your article and pointing me out
> to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone
> RRSIGs can refresh automatically. 
> 
> A zone that was signed with a sigvalidity period to be refreshed every 7
> days is not being refreshed and I'm trying to troubleshoot. I've given the
> zone statement the *auto-dnssec maintain;* and *update-policy local;*
> statements as described, and I'm getting the error below repeatedly in my
> /var/log/message feed:
> 
> *info: zone <zone name>/IN: reconfiguring zone keys
> <zone name>.jnl: create: permission denied
> named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone <zone name>/IN:
> zone_rekey:dns_journal_open -> unexpected error*
> 
> The user *named* has the rwx permissions on the directory containing the
> source zone file and the DNSSEC-signed zone file <zone-name>.signed. This
> installation is BIND chrooted so the absolute path is
> */var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in
> this directory (*/var/named/chroot/var/named/*) and failing to due so? If
> so, I don't see why it's having an issue because user:group ownership of the
> /var/named/chroot/var/named directory is named:named and permissions are set
> to 750 on it. I believe this could be the clue to why my zone RRSIG isn't
> being refreshed. A lot of Google searching for this error hasn't yielded
> anything to help my situation either. Thank you in advance for any input.
> 
> Below are my named.conf and zone statement file excerpts for reference:
> 
> named.conf file DNSSEC options:
> 
> // DNSSEC options
>         dnssec-enable yes;
>         dnssec-validation yes;
>         dnssec-lookaside auto;
>         sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM,
> Chapter 6
>         key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC
> keys
> 
> //Zone statement
> zone "<zone-name>" { 
>         type master;
>         update-policy local; 
>         file "db.<zone-name>.signed"; 
>         auto-dnssec maintain;
>         allow-query { any; }; 
>         allow-transfer { xfers; }; 
> };
> 
> 
> 
> 
> --
> View this message in context: http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html
> Sent from the Bind-Users forum mailing list archive at Nabble.com.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list