inline dnssec loadkeys fails

John W. Blue at
Sun Dec 20 02:04:15 UTC 2015


FWIW,  I personally like to reconfig then flush.  Not that it will help you with the issue at hand but for me it keeps any blackholed domains from getting into cache.


Sent from Nine<>

From: Brad S <chronicjoker2u at>
Sent: Dec 19, 2015 6:54 PM
To: bind-users at;marka at
Subject: inline dnssec loadkeys fails

I have using the exact same rndc method to load inline signing keys as what worked yesterday, but today the same steps are failing? a stuck key?

[\u at yoda:/usr/local/etc/namedb] # rndc flush
[\u at yoda:/usr/local/etc/namedb] # rndc reconfig
[\u at yoda:/usr/local/etc/namedb] # rndc addzone in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/"; file "/home/mailer-domains/"; update-policy { grant ddns-key zonesub ANY; };};'
[\u at yoda:/usr/local/etc/namedb] # rndc loadkeys
[\u at yoda:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714

[\u at yoda:/usr/local/etc/namedb] # rndc zonestatus
type: master
files: /home/mailer-domains/
serial: 2015121923
signed serial: 2015121931
nodes: 9
last loaded: Sun, 20 Dec 2015 00:07:01 GMT
secure: no
key maintenance: automatic
next key event: Sun, 20 Dec 2015 01:18:20 GMT
dynamic: yes
frozen: no

20-Dec-2015 01:30:56.735 general: info: received control channel command 'signing -nsec3param 1 0 10 03F92714'
20-Dec-2015 01:30:56.735 general: debug 1: setnsec3param: zone (signed): enter
20-Dec-2015 01:30:56.735 general: error: zone (signed): could not get zone keys for secure dynamic update

the keys are present, valid and correct permissions. no other errors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list