Re: [Freeipa-users] could not get zone keys for secure dynamic update

Mon, 22 Feb 2016 05:17:09 -0800

Hi all,

Following http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work  was most usefull, It turned out the package "freeipa-server-dns"was missing. Strange, I am running DNS, but...:
  • I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
  • Also: I'm running this on a Bananapi "server".....
  • There's no slave.
 
Anyway, ipa dnszone-show tells DNSsec was ebabled:


   Allow in-line DNSSEC signing: TRUE

but most likely due to the missing freeipa-server-dns it was missing dependencies as well, for example the package opendnssec was missing.

After installing freeipa-server-dns all packages seems to be in place, but the kasp.db file is empty:

root@ipa ~]# ls -l /var/opendnssec/kasp.db
-rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db

No wonder I still get messages like "could not get zone keys".

Shouldn't a key be added? How? (without blowing the current DNS....)

Winny
Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec
On 22.2.2016 09:36, Winfried de Heiden wrote:

Hi all,

I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p err ) 
like these:

Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): could not get zone keys for secure dynamic update
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): receive_secure_serial: not found
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): could not get zone keys for secure dynamic update
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): receive_secure_serial: not found
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): could not get zone keys for secure dynamic update
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN 
(signed): receive_secure_serial: not found

What's going wrong here, how to fix it?

Hello,

this might have multiple reasons.

Please walk step-by-step through following page:
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work

Additional questions:
* What version of FreeIPA and on what platform do you use?
* Is the zone signed on DNSSEC key master or on replica? Does it work on one
FreeIPA server but not on some other server?
* Did you change something lately?



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to