error while attempting to use nsupdate on a DNSSEC signed zone

Jack Tavares j.tavares at F5.com
Wed May 13 15:11:32 UTC 2009


Thanks, but that is not my problem.

the error message you are getting at leasts give a hint:

Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure

My error says:
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': prerequisites are OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: signer "update.test.net" approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: update 'test.net/IN' approved
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': update section prescan OK
13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': adding an RR at 'blarney.test.net' A
13-May-2009 22:04:59.665 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure


"failure" that's it.

I am still having this problem.
It is intermittent.

one update will work.
than another update for the very same zone, using the very same key, will fail.
It works fine if I remove the signed zone.
I have tried removing from the chroot jail, in case I had an error in the setup there and it
makes no difference.

the failure seems to be coming from dns_dnssec_sign, but it is just returning
ISC_R_FAILURE .

When I step through the code with the debug, it seems to work everytime (naturally)
I am really scratching my head.

--
Jack Tavares

________________________________________
From: Alexa Petrean [apetrean at bluecatnetworks.com]
Sent: Wednesday, May 13, 2009 17:50
To: Jack Tavares
Cc: bind-users at lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone

I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
The dynamic records weren't added to a master zone signed with DSA keys
- the journal file doesn't get created at all, just similar messages
logged in syslog:

Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
failure

The solution was to sign every dynamic zone with RSASHA1 keys only.

Alex

-----Original Message-----
From: bind-users-bounces at lists.isc.org
[mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jack Tavares
Sent: Wednesday, May 13, 2009 4:03 AM
To: unlisted-recipients
Cc: bind-users at lists.isc.org
Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
zone

yes.
And I when I previously failed to specify the correct key-directory, I
got an error
"found no private keys, unable to generate any signatures"

I corrected that error and now get the "failure" message

everything is owned by named .


options {
dnssec-enable yes;
dnssec-validation yes;
key-directory "/config/namedb";

--
Jack Tavares
________________________________________
From: Mark_Andrews at isc.org [Mark_Andrews at isc.org]
Sent: Wednesday, May 13, 2009 10:38
To: Jack Tavares
Cc: bind-users at lists.isc.org
Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
zone

In message
<4B18A8F75A6384449755BC7784073E93603B776C39 at exch11.olympus.f5net.com
> Hello -
>
> (bind9.6.0-P1)
>
> I have set up a zone that is signed.
> It is an island of security zone for testing purposes.
>
> I have set up a TSIG key and set the allow-update
> to accept the key.
>
> I have followed every step, afaict, in the various
> how-tos on how to sign a zone.
>
> But when I try to do an update, I get an error.
>
> All the error says is
> signer "update.test.net" approved
> 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': adding an RR at 'blah.test.net' A
> 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
updating zon=
> e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> "failure" is all it says for a reason.
>
> I looked at the bind source, and there are some more useful error
messages =
> about keys etc.
> But all I am getting is "failure".
>
> If i do the same nsupdate without DNSSEC, it works.
> It appears there is something wrong with my setup and the regeneration
of t=
> he RRSIG/NSEC
> keys is failing. (I have tried it with both NSEC and NSEC3 keys)
>
> I will put together a (simpler) named.conf and zone file that causes
this a=
> nd post that info,
> but I was hoping that maybe somebody has seen this and has an idea.
>
> Thanks
>
>
> --
> Jack Tavares

        Have you told named where the private keys are (key-directory)?

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list