[Freeipa-users] could not get zone keys for secure dynamic update

Petr Spacek pspacek at redhat.com
Tue Feb 23 13:52:06 UTC 2016 

On 23.2.2016 14:18, Winfried de Heiden wrote:
> Hi all,
> 
> And so did I, following 
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:
> 
> ipa-dns-install --dnssec-master
> 
> The log file for this installation can be found in /var/log/ipaserver-install.log
> ==============================================================================
> This program will setup DNS for the FreeIPA Server.
> 
> This includes:
>    * Configure DNS (bind)
>    * Configure SoftHSM (required by DNSSEC)
>    * Configure ipa-dnskeysyncd (required by DNSSEC)
>    * Configure ipa-ods-exporter (required by DNSSEC key master)
>    * Configure OpenDNSSEC (required by DNSSEC key master)
>    * Generate DNSSEC master key (required by DNSSEC key master)
> 
> NOTE: DNSSEC zone signing is not enabled by default
> 
> Plan carefully, replacing DNSSEC key master is not recommended
> 
> 
> To accept the default shown in brackets, press the Enter key.
> 
> Do you want to setup this IPA server as DNSSEC key master? [no]: yes
> DNSSEC signing is already enabled for following zone(s): example.com.
> Installation cannot continue without the OpenDNSSEC database file from the 
> original DNSSEC master server.
> Please use option --kasp-db to specify location of the kasp.db file copied from 
> the original DNSSEC master server.
> WARNING: Zones will become unavailable if you do not provide the original 
> kasp.db file.
> 
> However, it seems like I don't have a key, that was the problem in the first 
> place....

Right. This is a special case so you need to provide --force option to
override the check and continue with installation.

When you do that, please go through the Troubleshooting page again, hopefully
it will help.

Petr^2 Spacek


> Anyway, trying to continue:
> 
> bash-4.3$ ods-ksmutil zone list
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Cannot open destination file, will not make backup.
> No zones in DB or zonelist.
> 
> Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, only 
> having the not-used example zones.
> 
> Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does 
> not show any zone private keys.
> 
> Is still looks like these are not created.
> 
> So, it still looks like DNSSEC signing is enabled, but the key is not there.
> 
> Winny
> 
> Op 22-02-16 om 16:31 schreef Petr Spacek:
>> On 22.2.2016 14:02, Winfried de Heiden wrote:
>>> Hi all,
>>>
>>> Following
>>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work  was
>>> most usefull, It turned out the package "freeipa-server-dns"was missing.
>>> Strange, I am running DNS, but...:
>>>
>>>    * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
>>>    * Also: I'm running this on a Bananapi "server".....
>>>    * There's no slave.
>>>
>>>
>>> Anyway, ipa dnszone-show tells DNSsec was ebabled:
>>>
>>>
>>>      Allow in-line DNSSEC signing: TRUE
>>>
>>> but most likely due to the missing freeipa-server-dns it was missing
>>> dependencies as well, for example the package opendnssec was missing.
>>>
>>> After installing freeipa-server-dns all packages seems to be in place, but the
>>> kasp.db file is empty:
>>>
>>> root at ipa ~]# ls -l /var/opendnssec/kasp.db
>>> -rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db
>>>
>>> No wonder I still get messages like "could not get zone keys".
>>>
>>> Shouldn't a key be added? How? (without blowing the current DNS....)
>> DNSSEC key master should do that automatically.
>>
>> Please continue with next steps as described on
>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
>> and we will see.
>>
>> Petr^2 Spacek
>>
>>> Winny
>>>
>>>
>>> Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec
>>>> On 22.2.2016 09:36, Winfried de Heiden wrote:
>>>>> Hi all,
>>>>>
>>>>> I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p err )
>>>>> like these:
>>>>>
>>>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): could not get zone keys for secure dynamic update
>>>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): receive_secure_serial: not found
>>>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): could not get zone keys for secure dynamic update
>>>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): receive_secure_serial: not found
>>>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): could not get zone keys for secure dynamic update
>>>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
>>>>> (signed): receive_secure_serial: not found
>>>>>
>>>>> What's going wrong here, how to fix it?
>>>> Hello,
>>>>
>>>> this might have multiple reasons.
>>>>
>>>> Please walk step-by-step through following page:
>>>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
>>>>
>>>> Additional questions:
>>>> * What version of FreeIPA and on what platform do you use?
>>>> * Is the zone signed on DNSSEC key master or on replica? Does it work on one
>>>> FreeIPA server but not on some other server?
>>>> * Did you change something lately?

More information about the Freeipa-users mailing list