[knot-dns-users] Re: zone lost its KSK

Daniel Salzman via knot-dns-users Wed, 21 Feb 2024 00:28:03 -0800

Hi Bastien,

What's the Knot version and your signing policy configuration?


Daniel

On 2/13/24 22:00, Bastien Durel wrote:

Le 13/02/2024 à 10:03, libor.peltan a écrit :

Hi Bastien,

could you please have a deeper look into the history of the zone in the log 
file (or share it) ? There should be the answer hidden somewhere...

Thanks!


Hello,

Looks like the problem was lying for a little while :

# journalctl -u knot | grep geekwu.org

janv. 26 22:50:10 arrakeen knotd[3061]: info: [geekwu.org.] zone will be loaded
janv. 26 22:50:10 arrakeen knotd[3061]: info: [geekwu.org.] zone file parsed, 
serial 2024021105
janv. 26 22:50:27 arrakeen knotd[3061]: notice: [geekwu.org.] DNSSEC, cleared 
future timers of auto-managed key 20414
janv. 26 22:50:27 arrakeen knotd[3061]: info: [geekwu.org.] DNSSEC, key, tag 
39945, algorithm ECDSAP384SHA384, KSK, public, active
janv. 26 22:50:27 arrakeen knotd[3061]: info: [geekwu.org.] DNSSEC, key, tag 
20414, algorithm ECDSAP384SHA384
janv. 26 22:50:27 arrakeen knotd[3061]: 2024-01-26T22:50:27+0100 error: 
[geekwu.org.] DNSSEC, keys validation failed (missing active KSK or ZSK)
janv. 26 22:50:27 arrakeen knotd[3061]: 2024-01-26T22:50:27+0100 error: 
[geekwu.org.] DNSSEC, failed to load keys (missing active KSK or ZSK)
janv. 26 22:50:27 arrakeen knotd[3061]: error: [geekwu.org.] DNSSEC, keys 
validation failed (missing active KSK or ZSK)
janv. 26 22:50:27 arrakeen knotd[3061]: error: [geekwu.org.] DNSSEC, failed to 
load keys (missing active KSK or ZSK)
janv. 26 22:50:27 arrakeen knotd[3061]: 2024-01-26T22:50:27+0100 error: 
[geekwu.org.] zone event 'load' failed (missing active KSK or ZSK)
janv. 26 22:50:27 arrakeen knotd[3061]: error: [geekwu.org.] zone event 'load' 
failed (missing active KSK or ZSK)
févr. 12 21:38:02 arrakeen knotd[3061]: 2024-02-12T21:38:02+0100 error: 
[geekwu.org.] zone event 're-sign' failed (invalid parameter)
févr. 12 21:38:02 arrakeen knotd[3061]: info: [geekwu.org.] DNSSEC, signing zone
févr. 12 21:38:02 arrakeen knotd[3061]: error: [geekwu.org.] zone event 
're-sign' failed (invalid parameter)
févr. 12 22:08:57 arrakeen knotd[3061]: info: [geekwu.org.] DNSSEC, dropping 
previous signatures, re-signing zone


Nothing to do with the outage, then, but there's few info. No logs before the 
26/01 in journalctl, syslog mixes my 2 knot instances, so it's difficult to 
read :/

--

[knot-dns-users] Re: zone lost its KSK

Reply via email to