<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Carlito">Hi all,<br>
<br>
Following
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work">http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work</a>
was most usefull, It turned out the package
"freeipa-server-dns"was missing. Strange, I am running DNS,
but...:<br>
<br>
</font>
<ul>
<li><font face="Carlito">I upgraded form Fedora 22 to 23 includng
upgrading from IPA 4.1 to 4.2. <br>
</font></li>
<li><font face="Carlito">Also: I'm running this on a Bananapi
"server".....</font></li>
<li>There's no slave. <br>
</li>
</ul>
<br>
Anyway, ipa dnszone-show tells DNSsec was ebabled:<br>
<font face="Carlito"><br>
<br>
Allow in-line DNSSEC signing: TRUE<br>
<br>
but most likely due to the missing f</font><font face="Carlito">reeipa-server-dns
it was missing dependencies as well, for example the package
opendnssec was missing.<br>
<br>
After installing </font><font face="Carlito">f</font><font
face="Carlito">reeipa-server-dns all packages seems to be in
place, but the kasp.db file is empty:<br>
<br>
root@ipa ~]# ls -l /var/opendnssec/kasp.db<br>
-rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db<br>
<br>
No wonder I still get messages like "could not get zone keys".<br>
<br>
Shouldn't a key be added? How? (without blowing the current
DNS....)<br>
<br>
Winny<br>
<br>
<br>
</font>
<div class="moz-cite-prefix">Op 22-02-16 om 11:10 schreef Petr
Spaceopendnssec<br>
</div>
<blockquote cite="mid:56CADEA2.80301@redhat.com" type="cite">
<pre wrap="">On 22.2.2016 09:36, Winfried de Heiden wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi all,
I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err )
like these:
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
What's going wrong here, how to fix it?
</pre>
</blockquote>
<pre wrap="">
Hello,
this might have multiple reasons.
Please walk step-by-step through following page:
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work">http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work</a>
Additional questions:
* What version of FreeIPA and on what platform do you use?
* Is the zone signed on DNSSEC key master or on replica? Does it work on one
FreeIPA server but not on some other server?
* Did you change something lately?
</pre>
</blockquote>
<br>
</body>
</html>