new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

Ondřej Surý ondrej at isc.org
Fri Oct 14 14:20:51 UTC 2022 

In addition to what Matthijs said, please make sure that all path components
in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to have correct permissions,
this is easy to get wrong. I've burnt on this too many times.

Easiest way how to test is switching to the user that named runs under and try
changing to the directory and checking if you can access the files.

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 14. 10. 2022, at 16:17, PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
> hi
> 
>> Think ownership, permission and things like SELinux, AppArmore depending on your OS.
> 
> on this box, no SELinux or AppArmor
> 
> in my named.conf
> 
> 	directory "/namedb/production";
> 
> and for my domain's dnssec
> 
> 	key-directory "/keys/dnssec/example.com";
> 
> pathnames are relative to chroot.
> 
> here, chroot is @ "/data/chroot/named",
> 
> 	ps aux | grep named
> 		named    14285  0.0  0.2 526388 67360 ?        Ssl  08:47   0:00 /usr/sbin/named -f -t /data/chroot/named -n 2 -S 1024 -u named -c /etc/named.conf
> 
> checking,
> 
> 	ls -al \
> 	 /data/chroot/named/namedb/production \
> 	 /data/chroot/named/keys/dnssec/example.com/
> 
> access looks ok (?)
> 
> 	/data/chroot/named/keys/dnssec/example.com/:
> 		total 32K
> 		drwxr-xr-x 2 named named 4.0K Oct 12 18:09 ./
> 		drwxr-xr-x 5 named named 4.0K Oct 14 00:22 ../
> 		-rw-r----- 1 named named  405 Oct 13 19:14 Kexample.com.+013+17296.key
> 		-rw-r----- 1 named named  215 Oct 13 19:14 Kexample.com.+013+17296.private
> 		-rw-r----- 1 named named  572 Oct 13 19:14 Kexample.com.+013+17296.state
> 		-rw-r----- 1 named named  455 Oct 13 19:14 Kexample.com.+013+62137.key
> 		-rw-r----- 1 named named  235 Oct 13 19:14 Kexample.com.+013+62137.private
> 		-rw-r----- 1 named named  556 Oct 13 19:14 Kexample.com.+013+62137.state
> 
> 	/data/chroot/named/namedb/production:
> 		total 16K
> 		drwxrwxr-x 2 named named 4.0K Oct 14 08:47 ./
> 		drwxr-xr-x 5 named named 4.0K Oct 14 08:47 ../
> 		-rw------- 1 named named 8.0K Oct 14 08:47 external.nzd
> 		-rw-r----- 1 named named    0 Oct 14 08:47 managed-keys.bind
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221014/1ea59a1c/attachment.htm>

More information about the bind-users mailing list