[Freeipa-users] could not get zone keys for secure dynamic update
Petr Spacek
pspacek at redhat.com
Mon Feb 22 15:31:52 UTC 2016
On 22.2.2016 14:02, Winfried de Heiden wrote:
> Hi all,
>
> Following
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was
> most usefull, It turned out the package "freeipa-server-dns"was missing.
> Strange, I am running DNS, but...:
>
> * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
> * Also: I'm running this on a Bananapi "server".....
> * There's no slave.
>
>
> Anyway, ipa dnszone-show tells DNSsec was ebabled:
>
>
> Allow in-line DNSSEC signing: TRUE
>
> but most likely due to the missing freeipa-server-dns it was missing
> dependencies as well, for example the package opendnssec was missing.
>
> After installing freeipa-server-dns all packages seems to be in place, but the
> kasp.db file is empty:
>
> root at ipa ~]# ls -l /var/opendnssec/kasp.db
> -rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db
>
> No wonder I still get messages like "could not get zone keys".
>
> Shouldn't a key be added? How? (without blowing the current DNS....)
DNSSEC key master should do that automatically.
Please continue with next steps as described on
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
and we will see.
Petr^2 Spacek
>
> Winny
>
>
> Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec
>> On 22.2.2016 09:36, Winfried de Heiden wrote:
>>> Hi all,
>>>
>>> I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err )
>>> like these:
>>>
>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): could not get zone keys for secure dynamic update
>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): receive_secure_serial: not found
>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): could not get zone keys for secure dynamic update
>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): receive_secure_serial: not found
>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): could not get zone keys for secure dynamic update
>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>> (signed): receive_secure_serial: not found
>>>
>>> What's going wrong here, how to fix it?
>> Hello,
>>
>> this might have multiple reasons.
>>
>> Please walk step-by-step through following page:
>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
>>
>> Additional questions:
>> * What version of FreeIPA and on what platform do you use?
>> * Is the zone signed on DNSSEC key master or on replica? Does it work on one
>> FreeIPA server but not on some other server?
>> * Did you change something lately?
More information about the Freeipa-users
mailing list