<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi all, And so did I, following <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured">http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured</a>: ipa-dns-install --dnssec-master The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) * Configure SoftHSM (required by DNSSEC) * Configure ipa-dnskeysyncd (required by DNSSEC) * Configure ipa-ods-exporter (required by DNSSEC key master) * Configure OpenDNSSEC (required by DNSSEC key master) * Generate DNSSEC master key (required by DNSSEC key master) NOTE: DNSSEC zone signing is not enabled by default Plan carefully, replacing DNSSEC key master is not recommended To accept the default shown in brackets, press the Enter key. Do you want to setup this IPA server as DNSSEC key master? [no]: yes DNSSEC signing is already enabled for following zone(s): example.com. Installation cannot continue without the OpenDNSSEC database file from the original DNSSEC master server. Please use option --kasp-db to specify location of the kasp.db file copied from the original DNSSEC master server. WARNING: Zones will become unavailable if you do not provide the original kasp.db file. However, it seems like I don't have a key, that was the problem in the first place.... Anyway, trying to continue: bash-4.3$ ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. Cannot open destination file, will not make backup. No zones in DB or zonelist. Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, only having the not-used example zones. Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does not show any zone private keys. Is still looks like these are not created. So, it still looks like DNSSEC signing is enabled, but the key is not there. Winny <div class="moz-cite-prefix">Op 22-02-16 om 16:31 schreef Petr Spacek: </div> <blockquote cite="mid:56CB29E8.8020502@redhat.com" type="cite"> <pre wrap="">On 22.2.2016 14:02, Winfried de Heiden wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi all, Following <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work">http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work</a> was most usefull, It turned out the package "freeipa-server-dns"was missing. Strange, I am running DNS, but...: * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. * Also: I'm running this on a Bananapi "server"..... * There's no slave. Anyway, ipa dnszone-show tells DNSsec was ebabled: Allow in-line DNSSEC signing: TRUE but most likely due to the missing freeipa-server-dns it was missing dependencies as well, for example the package opendnssec was missing. After installing freeipa-server-dns all packages seems to be in place, but the kasp.db file is empty: root@ipa ~]# ls -l /var/opendnssec/kasp.db -rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db No wonder I still get messages like "could not get zone keys". Shouldn't a key be added? How? (without blowing the current DNS....) </pre> </blockquote> <pre wrap=""> DNSSEC key master should do that automatically. Please continue with next steps as described on <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured">http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured</a> and we will see. Petr^2 Spacek </pre> <blockquote type="cite"> <pre wrap=""> Winny Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec </pre> <blockquote type="cite"> <pre wrap="">On 22.2.2016 09:36, Winfried de Heiden wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi all, I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err ) like these: Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found What's going wrong here, how to fix it? </pre> </blockquote> <pre wrap="">Hello, this might have multiple reasons. Please walk step-by-step through following page: <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work">http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work</a> Additional questions: * What version of FreeIPA and on what platform do you use? * Is the zone signed on DNSSEC key master or on replica? Does it work on one FreeIPA server but not on some other server? * Did you change something lately? </pre> </blockquote> </blockquote> </blockquote> </body> </html>