dns_dnssec_findzonekeys2: error reading WHATEVER.private: file not found

[Ondřej Surý]

Hi Niall,


> On 23. 2. 2022, at 15:32, Niall O'Reilly <niall.oreilly at ucd.ie> wrote:
> 
> Hello.
> 
> Using BIND 9.16.1-Ubuntu (Stable Release) id:d497c32 because that’s
> what’s most simply available on Ubuntu 20.04.3 LTS (Focal Fossa),
> I’m seeing messages reporting that private key files can’t be found,
> such as the one in the subject line. The files look to me to be
> present as expected.
> 
> I shall be grateful for any helpful advice.


There has been 25 patch release between 9.16.1 and 9.16.25 fixing
more or less serious bugs.  The most helpful advice is to upgrade
to latest BIND 9.16 patch release.

> This appeared to work as expected on a development server running
> 9.18 from the ISC PPA. For production purposes, we would prefer
> to rely, if possible, on what is available without adding a PPA.

It’s the other way around - you should not be running a random snapshot
of the software taken by the distribution at the random point in time.

If you don’t want to rely on external repositories (which is perfectly fine),
my recommendation would be to go with Debian bullseye, where I negotiated
with the security and release teams to update BIND 9.16 with the upstream
patch releases.

The other option provided by ISC is to run BIND 9 inside a docker container,
so you don’t have to worry about the PPA messing with the base system, but
the docker container is exactly “Ubuntu 20.04 + ISC PPA”.

Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.