new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
Mark Andrews
marka at isc.org
Mon Oct 17 02:05:20 UTC 2022
> On 17 Oct 2022, at 12:13, PGNet Dev <pgnet.dev at gmail.com> wrote:
>
>> In addition to what Matthijs said, please make sure that all path components
>> in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to have correct permissions,
>> this is easy to get wrong. I've burnt on this too many times.
>> Easiest way how to test is switching to the user that named runs under and try
>> changing to the directory and checking if you can access the files.
>
> i've double-checked my perms; if that's the cause, i've missed it :_/
>
> testing without dnssec-policy autosiging, just manually signing,
>
> for an active/healthy, dnssec-signed zone
>
> rndc dnssec -status example.com IN external
> dnssec-policy: pgnd
> current time: Sun Oct 16 20:44:05 2022
>
> key: 10729 (ECDSAP256SHA256), ZSK
> published: yes - since Sat Oct 15 15:52:05 2022
> zone signing: yes - since Sat Oct 15 15:52:05 2022
>
> Next rollover scheduled on Sun Oct 30 13:47:05 2022
> - goal: omnipresent
> - dnskey: omnipresent
> - zone rrsig: rumoured
>
> key: 57122 (ECDSAP256SHA256), KSK
> published: yes - since Sat Oct 15 15:52:05 2022
> key signing: yes - since Sat Oct 15 15:52:05 2022
>
> No rollover scheduled
> - goal: omnipresent
> - dnskey: omnipresent
> - ds: hidden
> - key rrsig: omnipresent
>
> trying a manual rollover
>
> rndc dnssec -rollover -key 10729 example.com IN external
> Error executing rollover command: error occurred writing key to disk
>
> where, even with debug logging, all that i see on exec is
>
> 2022-10-16T20:56:49.979144-04:00 ns named[2036]: 16-Oct-2022 20:56:49.977 general: info: received control channel command 'dnssec -rollover -key 10729 example.com IN external'
>
> is there a way to determine what data is being attempted to write to which file/location on disk?
> or, generally, any more detail about what "error occurred" ?
It will be attempting to write into the key-directory for the zone as defined by named.conf. It will be creating a new file and then renaming that to replace one of the exisiting files associated with that key, the .private or .state (I haven’t looked to see which) with updated content.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list