In addition to what Matthijs said, please make sure that all path components
in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to
have correct permissions,
this is easy to get wrong. I've burnt on this too many times.
Easiest way how to test is switching to the user that named runs under and try
changing to the directory and checking if you can access the files.
i've double-checked my perms; if that's the cause, i've missed it :_/
testing without dnssec-policy autosiging, just manually signing,
for an active/healthy, dnssec-signed zone
rndc dnssec -status example.com IN external
dnssec-policy: pgnd
current time: Sun Oct 16 20:44:05 2022
key: 10729 (ECDSAP256SHA256), ZSK
published: yes - since Sat Oct 15 15:52:05 2022
zone signing: yes - since Sat Oct 15 15:52:05 2022
Next rollover scheduled on Sun Oct 30 13:47:05 2022
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: rumoured
key: 57122 (ECDSAP256SHA256), KSK
published: yes - since Sat Oct 15 15:52:05 2022
key signing: yes - since Sat Oct 15 15:52:05 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- key rrsig: omnipresent
trying a manual rollover
rndc dnssec -rollover -key 10729 example.com IN external
Error executing rollover command: error occurred writing key to
disk
where, even with debug logging, all that i see on exec is
2022-10-16T20:56:49.979144-04:00 ns named[2036]: 16-Oct-2022
20:56:49.977 general: info: received control channel command 'dnssec -rollover
-key 10729 example.com IN external'
is there a way to determine what data is being attempted to write to which
file/location on disk?
or, generally, any more detail about what "error occurred" ?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
