[Freeipa-users] Unable to configure DNSSEC signing

Gary T. Giesen ggiesen+freeipa-users at giesen.me
Tue May 3 11:37:35 UTC 2016 

See attached.

GTG

-----Original Message-----
From: Petr Spacek [mailto:pspacek at redhat.com] 
Sent: May-03-16 7:33 AM
To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 13:28, Gary T. Giesen wrote:
> 1. Confirmed, it was already set to ISMASTER=1
> 
> 2. Logs:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Current cookie is: None
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG    LDAP zones: {'203dbe2d-8d9c-1
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    New cookie is: host.exa

The log seems to be truncated. Please attach it as a file to avoid
truncation and line wrapping problems.

Thanks
Petr^2 Spacek

> 
> 
> 3. # rpm -q ipa-server
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: May-03-16 7:08 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Okay, this is a problem. It should list your zone example.com because 
> it has DNSSEC signing enabled.
> 
> Make sure you are working on host.example.com (the host listed by the 
> ldapsearch above).
> 
> I would check two things:
> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If 
> it does not, re-run ipa-dns-install with --dnssec-master option to fix
that.
> 
> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and 
> make sure that it contains line "debug=True" and restart 
> ipa-dnskeysyncd when you are done with it.
> 
> The log should be much longer after this change.
> 
> I hope it will help to identify the root cause.
> 
> What IPA version do you use?
> $ rpm -q freeipa-server
> 
> Petr^2 Spacek
> 
> 
> 
>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had 
>> no effect. The only log entries I see are:
>>
>> # journalctl -u ipa-dnskeysyncd
>>
>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa         :
> INFO
>> Signal 15 received: Shutting down!
>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>> session memcached servers not running
>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa         :
> INFO
>> LDAP bind...
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa         :
> INFO
>> Commencing sync process
>>
>>
>>
>> Can anyone advise on next steps? I've been banging my head against a 
>> wall for a couple days now and would really appreciate some help.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-dnskeysyncd.log
Type: application/octet-stream
Size: 14089 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160503/6916414a/attachment.obj>

More information about the Freeipa-users mailing list