named is not finding the keys for DNSSEC
Andreas Meyer
a.meyer at nimmini.de
Thu Aug 4 09:27:22 UTC 2016
Hello!
Tony Finch <dot at dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> > The key is named Kbitcorner.de.+005+16938.private but named is looking for
> > a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
>
> The error message refers to the key ID rather than the filename - in more
> recent versions it has been clarified to use the actual filename.
Is it possible to look for the filename without upgrading bind or is
there a fix for this?
> > There are also other private keys in the keysfolder but named complains
> > about these two private keys only. All privates have permissions -rw-------
>
> The error suggests to me that you have a key-directory mismatch, but you
> seem to have that under control.
hm, after I added
update-policy local;
auto-dnssec maintain;
to another signed zone, bind complains for this one too not finding
the keys.
> Are you chrooting named, and if so, does your inside-chroot and
> outside-chroot match?
Good question. The structure looks like this:
bitmachine1:/var/lib/named/var # ls -al
insgesamt 16
drwxr-xr-x 4 named root 4096 2. Aug 13:47 .
drwxr-xr-x 12 root root 4096 3. Aug 17:32 ..
drwxr-xr-x 2 root root 4096 2. Aug 13:47 lib
lrwxrwxrwx 1 root root 6 2. Aug 13:47 log -> ../log
drwxr-xr-x 3 named root 4096 2. Aug 13:47 run
and like this:
bitmachine1:/var/lib/named/var/lib/named # ls -al
insgesamt 56
drwxr-xr-x 12 root root 4096 3. Aug 17:32 .
drwxr-xr-x 46 root root 4096 4. Aug 00:00 ..
-rw-r--r-- 1 root root 192 19. Nov 2009 127.0.0.zone
drwxr-xr-x 2 root root 4096 4. Aug 01:43 dev
drwxr-xr-x 2 named named 4096 11. Mär 11:47 dyn
drwxr-xr-x 4 root root 4096 4. Aug 10:14 etc
drwxr-xr-x 2 named root 4096 4. Aug 11:03 keys
drwxr-xr-x 3 root root 4096 2. Aug 23:09 lib64
-rw-r--r-- 1 root root 182 19. Nov 2009 localhost.zone
drwxr-xr-x 2 named named 4096 4. Aug 01:00 log
drwxr-xr-x 2 root root 4096 3. Aug 23:34 master
dr-xr-xr-x 220 root root 0 2. Aug 10:33 proc
-rw-r--r-- 1 root root 3048 11. Mär 11:47 root.hint
drwxr-xr-x 2 named named 4096 11. Mär 11:47 slave
drwxr-xr-x 4 named root 4096 2. Aug 13:47 var
> Stupid question: are the zones for the other keys actually signed?
yes
> > Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
> > means.
>
> It means named is checking for any key changes.
Thank you!
Andreas
More information about the bind-users
mailing list