[Freeipa-users] Unable to configure DNSSEC signing

Gary T. Giesen ggiesen+freeipa-users at giesen.me
Tue May 3 00:40:06 UTC 2016 

I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to
configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've
been unable for the life of me to get it to sign zones. I've followed the
steps at
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but
as yet have been unable to get signing to work.

# ipa dnszone-show example.com
  Zone name: example.com.
  Active zone: TRUE
  Authoritative nameserver: host.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1462235022
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
  Allow in-line DNSSEC signing: TRUE

############################################################################
####

ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter:
(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))
# requesting: ALL
#

# DNSSEC, host.example.com, masters, ipa, etc, example.com
dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: dnssecKeyMaster
ipaConfigString: startOrder 100
ipaConfigString: enabledService
cn: DNSSEC

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

############################################################################
####

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

############################################################################
####

$ ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
No zones in DB or zonelist.


Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no
effect. The only log entries I see are:

# journalctl -u ipa-dnskeysyncd

May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa         : INFO
Signal 15 received: Shutting down!
May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
session memcached servers not running
May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa         : INFO
LDAP bind...
May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa         : INFO
Commencing sync process



Can anyone advise on next steps? I've been banging my head against a wall
for a couple days now and would really appreciate some help.

More information about the Freeipa-users mailing list