dns_dnssec_findzonekeys2: error reading WHATEVER.private: file not found

[Josef Moellers]

On 23.02.22 15:32, Niall O'Reilly wrote:
> Hello.
> 
> Using BIND 9.16.1-Ubuntu (Stable Release) id:d497c32 <id:d497c32> 
> because that’s
> what’s most simply available on Ubuntu 20.04.3 LTS (Focal Fossa),
> I’m seeing messages reporting that private key files can’t be found,
> such as the one in the subject line. The files look to me to be
> present as expected.


Just a quick shot: The server is (maybe) running in a chroot environment ...

Josef

> I shall be grateful for any helpful advice.
> 
> The relevant part of my configuration is further down.
> 
> This appeared to work as expected on a development server running
> 9.18 from the ISC PPA. For production purposes, we would prefer
> to rely, if possible, on what is available without adding a PPA.
> 
> Best regards,
> Niall O’Reilly
> 
> |dnssec-policy onboarding { // This policy attempts to match or 
> accommodate what zonefactory did // YMMV! dnskey-ttl 3600; keys { ksk 
> lifetime 3650d algorithm rsasha256; zsk lifetime 3650d algorithm 
> rsasha256; }; max-zone-ttl 3600; parent-ds-ttl 86400; 
> parent-propagation-delay 48h; publish-safety 7d; retire-safety 7d; 
> signatures-refresh 5d; signatures-validity 30d; 
> signatures-validity-dnskey 30d; zone-propagation-delay 2h; }; zone 
> "foo.ie" { type primary; update-policy local; file 
> "/etc/bind/dynamic/foo.ie/db.foo.ie"; key-directory 
> "/etc/bind/dynamic/foo.ie/"; masterfile-format text; dnssec-policy 
> onboarding; # Policy under test // dnssec-policy default; # triggers 
> retirement of existing keys // auto-dnssec maintain; # continues use of 
> existing keys notify explicit; # Testing: don't propagate confusion! ;-) 
> also-notify { downstream-in-house; }; allow-transfer { key 
> in-house.ns.my-own.net.; }; }; |
> 
> 


-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev