Automatic RRSIG Refresh in BIND 9.8.2

Petr Mensik pemensik at redhat.com
Fri Jun 16 16:45:48 UTC 2017 

Hi,

I think you should use file "dynamic/db.<zone-name>.signed"; instead. On Red Hat /var/named is by default read only to named. It is enforced both by unix permissions and SELinux policy. I think you are being blocked by selinux.

Try sudo ausearch -i -ts recent -m avc -m user_avc -m selinux_err
It may show you some errors that are named related.

For dynamic updates, directory /var/named/dynamic is prepared. Signature maintaining is processed like dynamic updates to the zone, so write access to the zone file and its .jnl is required. You can enable write there, check https://bugzilla.redhat.com/show_bug.cgi?id=545128

Regards,
Petr

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973


----- Original Message -----
From: "Latitude" <arlendelcastillo at gmail.com>
To: bind-users at lists.isc.org
Sent: Wednesday, June 14, 2017 11:11:05 PM
Subject: Re: Automatic RRSIG Refresh in BIND 9.8.2

Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2
handy but thank you for sending the link to your article and pointing me out
to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone
RRSIGs can refresh automatically. 

A zone that was signed with a sigvalidity period to be refreshed every 7
days is not being refreshed and I'm trying to troubleshoot. I've given the
zone statement the *auto-dnssec maintain;* and *update-policy local;*
statements as described, and I'm getting the error below repeatedly in my
/var/log/message feed:

*info: zone <zone name>/IN: reconfiguring zone keys
<zone name>.jnl: create: permission denied
named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone <zone name>/IN:
zone_rekey:dns_journal_open -> unexpected error*

The user *named* has the rwx permissions on the directory containing the
source zone file and the DNSSEC-signed zone file <zone-name>.signed. This
installation is BIND chrooted so the absolute path is
*/var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in
this directory (*/var/named/chroot/var/named/*) and failing to due so? If
so, I don't see why it's having an issue because user:group ownership of the
/var/named/chroot/var/named directory is named:named and permissions are set
to 750 on it. I believe this could be the clue to why my zone RRSIG isn't
being refreshed. A lot of Google searching for this error hasn't yielded
anything to help my situation either. Thank you in advance for any input.

Below are my named.conf and zone statement file excerpts for reference:

named.conf file DNSSEC options:

// DNSSEC options
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM,
Chapter 6
        key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC
keys

//Zone statement
zone "<zone-name>" { 
        type master;
        update-policy local; 
        file "db.<zone-name>.signed"; 
        auto-dnssec maintain;
        allow-query { any; }; 
        allow-transfer { xfers; }; 
};




--
View this message in context: http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html
Sent from the Bind-Users forum mailing list archive at Nabble.com.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list