error while attempting to use nsupdate on a DNSSEC signed zone

Thu May 14 01:31:51 UTC 2009

In message <E8C06F8FB84E4C41B5F770A71B8CE75005C7C14D at Apollo.bluecatnetworks.cor
p>, "Alexa Petrean" writes:
> 
> I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1.
> The dynamic records weren't added to a master zone signed with DSA keys
> - the journal file doesn't get created at all, just similar messages
> logged in syslog:
> 
> Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
> default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A 
> Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view
> default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign
> failure
> 
> The solution was to sign every dynamic zone with RSASHA1 keys only.
> 
> Alex

	DSA requires a good random number generator to be available to
	named.  RSA only required a good random number generator at
	key creation time.
 
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org
> [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jack Tavares
> Sent: Wednesday, May 13, 2009 4:03 AM
> To: unlisted-recipients
> Cc: bind-users at lists.isc.org
> Subject: RE: error while attempting to use nsupdate on a DNSSEC signed
> zone 
> 
> yes. 
> And I when I previously failed to specify the correct key-directory, I
> got an error
> "found no private keys, unable to generate any signatures"
> 
> I corrected that error and now get the "failure" message
> 
> everything is owned by named .
> 
> 
> options {
> dnssec-enable yes;
> dnssec-validation yes;
> key-directory "/config/namedb";
> 
> --
> Jack Tavares
> ________________________________________
> From: Mark_Andrews at isc.org [Mark_Andrews at isc.org]
> Sent: Wednesday, May 13, 2009 10:38
> To: Jack Tavares
> Cc: bind-users at lists.isc.org
> Subject: Re: error while attempting to use nsupdate on a DNSSEC signed
> zone
> 
> In message
> <4B18A8F75A6384449755BC7784073E93603B776C39 at exch11.olympus.f5net.com
> > Hello -
> >
> > (bind9.6.0-P1)
> >
> > I have set up a zone that is signed.
> > It is an island of security zone for testing purposes.
> >
> > I have set up a TSIG key and set the allow-update
> > to accept the key.
> >
> > I have followed every step, afaict, in the various
> > how-tos on how to sign a zone.
> >
> > But when I try to do an update, I get an error.
> >
> > All the error says is
> > signer "update.test.net" approved
> > 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external:
> updating zon=
> > e 'test.net/IN': adding an RR at 'blah.test.net' A
> > 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external:
> updating zon=
> > e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure
> > "failure" is all it says for a reason.
> >
> > I looked at the bind source, and there are some more useful error
> messages =
> > about keys etc.
> > But all I am getting is "failure".
> >
> > If i do the same nsupdate without DNSSEC, it works.
> > It appears there is something wrong with my setup and the regeneration
> of t=
> > he RRSIG/NSEC
> > keys is failing. (I have tried it with both NSEC and NSEC3 keys)
> >
> > I will put together a (simpler) named.conf and zone file that causes
> this a=
> > nd post that info,
> > but I was hoping that maybe somebody has seen this and has an idea.
> >
> > Thanks
> >
> >
> > --
> > Jack Tavares
> 
>         Have you told named where the private keys are (key-directory)?
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org