new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
Matthijs Mekking
matthijs at isc.org
Fri Oct 14 14:19:15 UTC 2022
Hi,
This is a log level bug. This log happens when BIND want to check the
parental-agents if the DS has been published. But if you don't have
parental-agents set up, the list of keys to check will be empty. Hence
the "not found" result.
Thanks for reporting, this will be fixed in the next release, it should
be a debug log level.
Best regards,
Matthijs
On 14-10-2022 15:26, PGNet Dev wrote:
> i run,
>
> named -v
> BIND 9.18.7 (Stable Release) <id:>
>
>
> i've setup dnssec-policy operation for a number of domain.
>
> keys are all generated, KSK-derived DS Records are pushed to
> registrar->root, and all DNSSEC-analyzer tools online report all's good.
>
> i can see no functional problems. so far. that i'm aware of.
>
> but, in bind logs, locally, I see the following
> "zone_rekey:dns_zone_getdnsseckeys failed: not found" error,
>
> 2022-10-14T08:47:23.569556-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.568 dnssec: info: zone example.com/IN/external: generated salt:
> 82CSA124A1645B0D
> 2022-10-14T08:47:23.711869-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.710 dnssec: info: zone example.com/IN/external: reconfiguring
> zone keys
> ?? 2022-10-14T08:47:23.712653-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: error: zone example.com/IN/external:
> zone_rekey:dns_zone_getdnsseckeys failed: not found
> 2022-10-14T08:47:23.712663-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: keyring:
> example.com/ECDSAP256SHA256/62137 (policy pgnd)
> 2022-10-14T08:47:23.712666-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: keyring:
> example.com/ECDSAP256SHA256/17296 (policy pgnd)
> 2022-10-14T08:47:23.712671-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
> example.com/ECDSAP256SHA256/17296 (KSK) matches policy pgnd
> 2022-10-14T08:47:23.712674-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
> example.com/ECDSAP256SHA256/17296 (KSK) is active in policy pgnd
> 2022-10-14T08:47:23.712677-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
> example.com/ECDSAP256SHA256/62137 (ZSK) matches policy pgnd
> 2022-10-14T08:47:23.712680-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
> example.com/ECDSAP256SHA256/62137 (ZSK) is active in policy pgnd
> 2022-10-14T08:47:23.712683-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: new successor needed for DNSKEY
> example.com/ECDSAP256SHA256/62137 (ZSK) (policy pgnd) in 2445436 seconds
> 2022-10-14T08:47:23.712686-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
> example.com/ECDSAP256SHA256/62137 type DNSKEY in state OMNIPRESENT
> 2022-10-14T08:47:23.712688-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: ZSK
> example.com/ECDSAP256SHA256/62137 type DNSKEY in stable state OMNIPRESENT
> 2022-10-14T08:47:23.712690-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
> example.com/ECDSAP256SHA256/62137 type ZRRSIG in state OMNIPRESENT
> 2022-10-14T08:47:23.712693-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: ZSK
> example.com/ECDSAP256SHA256/62137 type ZRRSIG in stable state OMNIPRESENT
> 2022-10-14T08:47:23.712695-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: examine KSK
> example.com/ECDSAP256SHA256/17296 type DNSKEY in state OMNIPRESENT
> 2022-10-14T08:47:23.712697-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: KSK
> example.com/ECDSAP256SHA256/17296 type DNSKEY in stable state OMNIPRESENT
> 2022-10-14T08:47:23.712699-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: examine KSK
> example.com/ECDSAP256SHA256/17296 type KRRSIG in state OMNIPRESENT
> 2022-10-14T08:47:23.712702-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: KSK
> example.com/ECDSAP256SHA256/17296 type KRRSIG in stable state OMNIPRESENT
> 2022-10-14T08:47:23.712704-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: examine KSK
> example.com/ECDSAP256SHA256/17296 type DS in state RUMOURED
> 2022-10-14T08:47:23.712706-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: can we transition KSK
> example.com/ECDSAP256SHA256/17296 type DS state RUMOURED to state
> OMNIPRESENT?
> 2022-10-14T08:47:23.712712-04:00 ns named[14285]: 14-Oct-2022
> 08:47:23.711 dnssec: debug 1: keymgr: dnssec evaluation of KSK
> example.com/ECDSAP256SHA256/17296 record DS: rule1=(~true or true)
> rule2=(~true or true) rule3=(~true or true)
>
> for each/every dnssec-enabled domain
>
> where, in my current named.conf,
>
> dnssec-policy "pgnd" {
> keys {
> ksk key-directory lifetime unlimited algorithm 13;
> zsk key-directory lifetime P30D algorithm 13;
> };
> dnskey-ttl 3600;
> publish-safety 1h;
> retire-safety 1h;
> signatures-refresh P5D;
> signatures-validity P2W;
> signatures-validity-dnskey P2W;
> max-zone-ttl 86400;
> zone-propagation-delay 300;
> parent-ds-ttl 86400;
> parent-propagation-delay 1h;
> nsec3param iterations 5 optout no salt-length 8;
> };
> zone "example.com" IN {
> type master; file "/namedb/master/example.com.zone";
> dnssec-policy "pgnd";
> key-directory "/keys/dnssec/example.com";
> update-policy { grant pgnd-external-rndc-key zonesub txt; };
> };
>
> what's the source of the "zone_rekey:dns_zone_getdnsseckeys"?
> specifically, what's not being found?
> have i missed/miconfig'd config, omitted a file/dir that current config
> expects, or is this a bug?
More information about the bind-users
mailing list