[Freeipa-users] could not get zone keys for secure dynamic update
Petr Spacek
pspacek at redhat.com
Mon Feb 22 10:10:42 UTC 2016
On 22.2.2016 09:36, Winfried de Heiden wrote:
> Hi all,
>
> I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err )
> like these:
>
> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
>
> What's going wrong here, how to fix it?
Hello,
this might have multiple reasons.
Please walk step-by-step through following page:
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
Additional questions:
* What version of FreeIPA and on what platform do you use?
* Is the zone signed on DNSSEC key master or on replica? Does it work on one
FreeIPA server but not on some other server?
* Did you change something lately?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list