inline dnssec loadkeys fails

Brad S chronicjoker2u at yahoo.com
Sun Dec 20 00:53:57 UTC 2015


I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing? a stuck key?
[\u at yoda:/usr/local/etc/namedb] # rndc flush
[\u at yoda:/usr/local/etc/namedb] # rndc reconfig
[\u at yoda:/usr/local/etc/namedb] # rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
[\u at yoda:/usr/local/etc/namedb] # rndc loadkeys domain.com
[\u at yoda:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domain.com.

[\u at yoda:/usr/local/etc/namedb] # rndc zonestatus domain.com
name: domain.com
type: master
files: /home/mailer-domains/domain.com/domain.com.external
serial: 2015121923
signed serial: 2015121931
nodes: 9
last loaded: Sun, 20 Dec 2015 00:07:01 GMT
secure: no
key maintenance: automatic
next key event: Sun, 20 Dec 2015 01:18:20 GMT
dynamic: yes
frozen: no


error:
20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714 domain.com.'
20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone domain.com/IN/external (signed): enter
20-Dec-2015 01:30:56.735 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update

the keys are present, valid and correct permissions. no other errors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151220/0c20bb2a/attachment.html>


More information about the bind-users mailing list