i run,
named -v
BIND 9.18.7 (Stable Release) <id:>
i've setup dnssec-policy operation for a number of domain.
keys are all generated, KSK-derived DS Records are pushed to registrar->root,
and all DNSSEC-analyzer tools online report all's good.
i can see no functional problems. so far. that i'm aware of.
but, in bind logs, locally, I see the following "zone_rekey:dns_zone_getdnsseckeys
failed: not found" error,
2022-10-14T08:47:23.569556-04:00 ns named[14285]: 14-Oct-2022
08:47:23.568 dnssec: info: zone example.com/IN/external: generated salt:
82CSA124A1645B0D
2022-10-14T08:47:23.711869-04:00 ns named[14285]: 14-Oct-2022
08:47:23.710 dnssec: info: zone example.com/IN/external: reconfiguring zone keys
?? 2022-10-14T08:47:23.712653-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: error: zone example.com/IN/external:
zone_rekey:dns_zone_getdnsseckeys failed: not found
2022-10-14T08:47:23.712663-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: keyring:
example.com/ECDSAP256SHA256/62137 (policy pgnd)
2022-10-14T08:47:23.712666-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: keyring:
example.com/ECDSAP256SHA256/17296 (policy pgnd)
2022-10-14T08:47:23.712671-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296
(KSK) matches policy pgnd
2022-10-14T08:47:23.712674-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296
(KSK) is active in policy pgnd
2022-10-14T08:47:23.712677-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137
(ZSK) matches policy pgnd
2022-10-14T08:47:23.712680-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137
(ZSK) is active in policy pgnd
2022-10-14T08:47:23.712683-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: new successor needed for DNSKEY
example.com/ECDSAP256SHA256/62137 (ZSK) (policy pgnd) in 2445436 seconds
2022-10-14T08:47:23.712686-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
example.com/ECDSAP256SHA256/62137 type DNSKEY in state OMNIPRESENT
2022-10-14T08:47:23.712688-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137
type DNSKEY in stable state OMNIPRESENT
2022-10-14T08:47:23.712690-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
example.com/ECDSAP256SHA256/62137 type ZRRSIG in state OMNIPRESENT
2022-10-14T08:47:23.712693-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137
type ZRRSIG in stable state OMNIPRESENT
2022-10-14T08:47:23.712695-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type DNSKEY in state OMNIPRESENT
2022-10-14T08:47:23.712697-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296
type DNSKEY in stable state OMNIPRESENT
2022-10-14T08:47:23.712699-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type KRRSIG in state OMNIPRESENT
2022-10-14T08:47:23.712702-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296
type KRRSIG in stable state OMNIPRESENT
2022-10-14T08:47:23.712704-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type DS in state RUMOURED
2022-10-14T08:47:23.712706-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: can we transition KSK
example.com/ECDSAP256SHA256/17296 type DS state RUMOURED to state OMNIPRESENT?
2022-10-14T08:47:23.712712-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: dnssec evaluation of KSK
example.com/ECDSAP256SHA256/17296 record DS: rule1=(~true or true) rule2=(~true
or true) rule3=(~true or true)
for each/every dnssec-enabled domain
where, in my current named.conf,
dnssec-policy "pgnd" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
};
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
signatures-refresh P5D;
signatures-validity P2W;
signatures-validity-dnskey P2W;
max-zone-ttl 86400;
zone-propagation-delay 300;
parent-ds-ttl 86400;
parent-propagation-delay 1h;
nsec3param iterations 5 optout no salt-length 8;
};
zone "example.com" IN {
type master; file "/namedb/master/example.com.zone";
dnssec-policy "pgnd";
key-directory "/keys/dnssec/example.com";
update-policy { grant pgnd-external-rndc-key zonesub txt; };
};
what's the source of the "zone_rekey:dns_zone_getdnsseckeys"?
specifically, what's not being found?
have i missed/miconfig'd config, omitted a file/dir that current config
expects, or is this a bug?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
