[Freeipa-users] Unable to configure DNSSEC signing
Petr Spacek
pspacek at redhat.com
Tue May 3 11:33:17 UTC 2016
On 3.5.2016 13:28, Gary T. Giesen wrote:
> 1. Confirmed, it was already set to ISMASTER=1
>
> 2. Logs:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa
The log seems to be truncated. Please attach it as a file to avoid truncation
and line wrapping problems.
Thanks
Petr^2 Spacek
>
>
> 3. # rpm -q ipa-server
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: May-03-16 7:08 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>
> Okay, this is a problem. It should list your zone example.com because it has
> DNSSEC signing enabled.
>
> Make sure you are working on host.example.com (the host listed by the
> ldapsearch above).
>
> I would check two things:
> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it
> does not, re-run ipa-dns-install with --dnssec-master option to fix that.
>
> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make
> sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you
> are done with it.
>
> The log should be much longer after this change.
>
> I hope it will help to identify the root cause.
>
> What IPA version do you use?
> $ rpm -q freeipa-server
>
> Petr^2 Spacek
>
>
>
>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had
>> no effect. The only log entries I see are:
>>
>> # journalctl -u ipa-dnskeysyncd
>>
>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
> INFO
>> Signal 15 received: Shutting down!
>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>> session memcached servers not running
>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> LDAP bind...
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> Commencing sync process
>>
>>
>>
>> Can anyone advise on next steps? I've been banging my head against a
>> wall for a couple days now and would really appreciate some help.
More information about the Freeipa-users
mailing list