[Freeipa-users] Unable to configure DNSSEC signing
Gary T. Giesen
ggiesen+freeipa-users at giesen.me
Tue May 3 00:40:06 UTC 2016
I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to
configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've
been unable for the life of me to get it to sign zones. I've followed the
steps at
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but
as yet have been unable to get signing to work.
# ipa dnszone-show example.com
Zone name: example.com.
Active zone: TRUE
Authoritative nameserver: host.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 1462235022
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Allow in-line DNSSEC signing: TRUE
############################################################################
####
ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter:
(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))
# requesting: ALL
#
# DNSSEC, host.example.com, masters, ipa, etc, example.com
dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: dnssecKeyMaster
ipaConfigString: startOrder 100
ipaConfigString: enabledService
cn: DNSSEC
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
############################################################################
####
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
############################################################################
####
$ ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
No zones in DB or zonelist.
Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no
effect. The only log entries I see are:
# journalctl -u ipa-dnskeysyncd
May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO
Signal 15 received: Shutting down!
May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
session memcached servers not running
May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO
LDAP bind...
May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1
May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO
Commencing sync process
Can anyone advise on next steps? I've been banging my head against a wall
for a couple days now and would really appreciate some help.
More information about the Freeipa-users
mailing list