new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

Mark Andrews marka at isc.org
Mon Oct 17 02:05:20 UTC 2022 


> On 17 Oct 2022, at 12:13, PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
>> In addition to what Matthijs said, please make sure that all path components
>> in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to have correct permissions,
>> this is easy to get wrong. I've burnt on this too many times.
>> Easiest way how to test is switching to the user that named runs under and try
>> changing to the directory and checking if you can access the files.
> 
> i've double-checked my perms; if that's the cause, i've missed it :_/
> 
> testing without dnssec-policy autosiging, just manually signing,
> 
> for an active/healthy, dnssec-signed zone
> 
> 	rndc dnssec -status example.com IN external
> 		dnssec-policy: pgnd
> 		current time:  Sun Oct 16 20:44:05 2022
> 
> 		key: 10729 (ECDSAP256SHA256), ZSK
> 		  published:      yes - since Sat Oct 15 15:52:05 2022
> 		  zone signing:   yes - since Sat Oct 15 15:52:05 2022
> 
> 		  Next rollover scheduled on Sun Oct 30 13:47:05 2022
> 		  - goal:           omnipresent
> 		  - dnskey:         omnipresent
> 		  - zone rrsig:     rumoured
> 
> 		key: 57122 (ECDSAP256SHA256), KSK
> 		  published:      yes - since Sat Oct 15 15:52:05 2022
> 		  key signing:    yes - since Sat Oct 15 15:52:05 2022
> 
> 		  No rollover scheduled
> 		  - goal:           omnipresent
> 		  - dnskey:         omnipresent
> 		  - ds:             hidden
> 		  - key rrsig:      omnipresent
> 
> trying a manual rollover
> 
> 	rndc dnssec -rollover -key 10729 example.com IN external
> 		Error executing rollover command: error occurred writing key to disk
> 
> where, even with debug logging, all that i see on exec is
> 
> 	2022-10-16T20:56:49.979144-04:00 ns named[2036]: 16-Oct-2022 20:56:49.977 general: info: received control channel command 'dnssec -rollover -key 10729 example.com IN external'
> 
> is there a way to determine what data is being attempted to write to which file/location on disk?
> or, generally, any more detail about what "error occurred" ?

It will be attempting to write into the key-directory for the zone as defined by named.conf. It will be creating a new file and then renaming that to replace one of the exisiting files associated with that key, the .private or .state (I haven’t looked to see which) with updated content.

> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list