Hello Mirsad,
You changed to dnssec-policy with different key algorithms than you used
for manual signing:
Jun 1 21:46:06 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/46119 (ZSK)
Jun 1 21:46:06 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/34042 (KSK)
Jun 1 21:46:06 domac named[46537]: keymgr: DNSKEY
alu.hr/ECDSAP256SHA256/43987 (KSK) created for policy standard
Jun 1 21:46:06 domac named[46537]: keymgr: DNSKEY
alu.hr/ECDSAP256SHA256/3502 (ZSK) created for policy standard
You had RSHSHA256 DNSSEC keys, but you started using a DNSSEC policy
with ECDSAP256SHA256 keys.
Since the existing keys do not match the policy, BIND started a key
rollover.
See https://kb.isc.org/docs/dnssec-key-and-signing-policy for more
information about migration to dnssec-policy.
Also changing from directory and file "/etc/bind/zones/alu.hr.db.signed"
to file "/var/cache/bind/alu.hr.db" may be causing some problems.
There also seems to be a permission problem:
Jun 1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset:
error reading /var/cache/bind/keys/Kalu.hr.+013+03502.private: file not
found
Jun 1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset:
error reading /var/cache/bind/keys/Kalu.hr.+013+43987.private: file not
found
Hope these pointers help.
- Matthijs
On 01-06-2022 23:14, Mirsad Goran Todorovac wrote:
Dear All,
I have tried to switch from manually signed DNSSEC zone to dnssec-policy
"standard", and BIND9 server started
behaving odd. Here is the manual signing conf:
include "/etc/bind/keys/domac.alu.hr-tsig.key";
zone "alu.hr" in {
type master;
file "/etc/bind/zones/alu.hr.db.signed";
allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
also-notify { 31.147.205.54; 161.53.2.70; };
forwarders {};
};
... and the automatic signing conf:
zone "alu.hr" in {
type master;
file "/var/cache/bind/alu.hr.db";
allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
also-notify { 31.147.205.54; 161.53.2.70; };
dnssec-policy "standard";
forwarders {};
};
There was a symbolic link /var/cache/bind/alu.hr.db ->
/etc/bind/zones/alu.hr.db .
The logfile is too long to post, so I will add link:
https://domac.alu.hr/~mtodorov/tmp/named-20220601.log
NOTE: Fun starts when I tried to automatically sing zone in zonefile
/etc/bind/zones/alu.hr.db, and APPARMOR denied opening file to BIND.
Maybe that confused the good old BIND9 server?
Then I added link in /var/cache/bind, as for DDNS zones.
The the zone appeared signed, but with only NSEC records, no RRSIGs,
with this in log:
Jun 1 21:52:42 domac named[46537]: scheduled loading new zones
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (unsigned): loaded
serial 2022060101
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): loaded
serial 2022060101
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
receive_secure_serial: unchanged
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): sending
notifies (serial 2022060101)
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
reconfiguring zone keys
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
zone_rekey:dns_zone_getdnsseckeys failed: not found
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/46119 (ZSK)
Jun 1 21:52:42 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/34042 (KSK)
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: Fetching alu.hr/ECDSAP256SHA256/3502
(ZSK) from key repository.
Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/3502
(ZSK) is now published
Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/3502
(ZSK) is now active
Jun 1 21:52:42 domac named[46537]: Fetching
alu.hr/ECDSAP256SHA256/43987 (KSK) from key repository.
Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/43987
(KSK) is now published
Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/43987
(KSK) is now active
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): next key
event: 01-Jun-2022 23:46:06.043
Jun 1 21:52:42 domac named[46537]: any newly configured zones are now
loaded
Jun 1 21:52:42 domac named[46537]: running
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
lock key files, but no key file lock available, abort
I couldn't Google out any such message.
However, the BIND server started acting like a runaway, displying lines
like this in the log:
Jun 1 22:06:55 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:55 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
found
Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
found
Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
found
Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
signature found
Jun 1 22:06:56 domac named[43715]: validating ./NS: no valid signature
found
... and at very fast rate, so I reverted to the manually signed conf.
Any idea how could I still apply dnssec-policy? Manual signing works,
but it is tedious, and easy to forget to sign ...
For other subzones, mainly slava.alu.hr, conversion from manually signed
RSA keys to automatically signed DNSSEC standard policy worked
out-of-the-box.
HERE is the policy (from DNSSEC manual):
dnssec-policy standard {
dnskey-ttl 600;
keys {
ksk lifetime 365d algorithm ecdsap256sha256;
zsk lifetime 60d algorithm ecdsap256sha256;
};
max-zone-ttl 600;
parent-ds-ttl 600;
parent-propagation-delay 2h;
publish-safety 7d;
retire-safety 7d;
signatures-refresh 5d;
signatures-validity 15d;
signatures-validity-dnskey 15d;
zone-propagation-delay 2h;
};
Thanks for any idea how to get out of this.
Hope this helps.
Kind regards,
Mirsad
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
