[Freeipa-users] Unable to configure DNSSEC signing
Martin Basti
mbasti at redhat.com
Tue May 3 08:05:43 UTC 2016
On 03.05.2016 02:40, Gary T. Giesen wrote:
> I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to
> configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've
> been unable for the life of me to get it to sign zones. I've followed the
> steps at
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but
> as yet have been unable to get signing to work.
>
> # ipa dnszone-show example.com
> Zone name: example.com.
> Active zone: TRUE
> Authoritative nameserver: host.example.com.
> Administrator e-mail address: hostmaster.example.com.
> SOA serial: 1462235022
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> Allow query: any;
> Allow transfer: none;
> Allow in-line DNSSEC signing: TRUE
>
> ############################################################################
> ####
>
> ldapsearch -Y GSSAPI
> '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
> SASL/GSSAPI authentication started
> SASL username: admin at EXAMPLE.COM
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter:
> (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))
> # requesting: ALL
> #
>
> # DNSSEC, host.example.com, masters, ipa, etc, example.com
> dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
> objectClass: ipaConfigObject
> objectClass: nsContainer
> objectClass: top
> ipaConfigString: dnssecKeyMaster
> ipaConfigString: startOrder 100
> ipaConfigString: enabledService
> cn: DNSSEC
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> ############################################################################
> ####
>
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> ############################################################################
> ####
>
> $ ods-ksmutil zone list
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> No zones in DB or zonelist.
>
>
> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no
> effect. The only log entries I see are:
>
> # journalctl -u ipa-dnskeysyncd
>
> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO
> Signal 15 received: Shutting down!
> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
> session memcached servers not running
> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO
> LDAP bind...
> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO
> Commencing sync process
>
>
>
> Can anyone advise on next steps? I've been banging my head against a wall
> for a couple days now and would really appreciate some help.
>
Hello,
can you please check journalctl -u named-pkcs11 ?
Martin
More information about the Freeipa-users
mailing list