new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
PGNet Dev
pgnet.dev at gmail.com
Mon Oct 17 01:13:30 UTC 2022
> In addition to what Matthijs said, please make sure that all path components
> in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to have correct permissions,
> this is easy to get wrong. I've burnt on this too many times.
>
> Easiest way how to test is switching to the user that named runs under and try
> changing to the directory and checking if you can access the files.
i've double-checked my perms; if that's the cause, i've missed it :_/
testing without dnssec-policy autosiging, just manually signing,
for an active/healthy, dnssec-signed zone
rndc dnssec -status example.com IN external
dnssec-policy: pgnd
current time: Sun Oct 16 20:44:05 2022
key: 10729 (ECDSAP256SHA256), ZSK
published: yes - since Sat Oct 15 15:52:05 2022
zone signing: yes - since Sat Oct 15 15:52:05 2022
Next rollover scheduled on Sun Oct 30 13:47:05 2022
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: rumoured
key: 57122 (ECDSAP256SHA256), KSK
published: yes - since Sat Oct 15 15:52:05 2022
key signing: yes - since Sat Oct 15 15:52:05 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- key rrsig: omnipresent
trying a manual rollover
rndc dnssec -rollover -key 10729 example.com IN external
Error executing rollover command: error occurred writing key to disk
where, even with debug logging, all that i see on exec is
2022-10-16T20:56:49.979144-04:00 ns named[2036]: 16-Oct-2022 20:56:49.977 general: info: received control channel command 'dnssec -rollover -key 10729 example.com IN external'
is there a way to determine what data is being attempted to write to which file/location on disk?
or, generally, any more detail about what "error occurred" ?
More information about the bind-users
mailing list