named is not finding the keys for DNSSEC

Thu Aug 4 09:27:22 UTC 2016

Hello!

Tony Finch <dot at dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:

> > The key is named Kbitcorner.de.+005+16938.private but named is looking for
> > a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
> 
> The error message refers to the key ID rather than the filename - in more
> recent versions it has been clarified to use the actual filename.

Is it possible to look for the filename without upgrading bind or is
there a fix for this?

> > There are also other private keys in the keysfolder but named complains
> > about these two private keys only. All privates have permissions -rw-------
> 
> The error suggests to me that you have a key-directory mismatch, but you
> seem to have that under control.

hm, after I added

    update-policy local;
    auto-dnssec maintain;

to another signed zone, bind complains for this one too not finding
the keys.

> Are you chrooting named, and if so, does your inside-chroot and
> outside-chroot match?

Good question. The structure looks like this:

bitmachine1:/var/lib/named/var # ls -al
insgesamt 16
drwxr-xr-x  4 named root 4096  2. Aug 13:47 .
drwxr-xr-x 12 root  root 4096  3. Aug 17:32 ..
drwxr-xr-x  2 root  root 4096  2. Aug 13:47 lib
lrwxrwxrwx  1 root  root    6  2. Aug 13:47 log -> ../log
drwxr-xr-x  3 named root 4096  2. Aug 13:47 run

and like this:

bitmachine1:/var/lib/named/var/lib/named # ls -al
insgesamt 56
drwxr-xr-x  12 root  root  4096  3. Aug 17:32 .
drwxr-xr-x  46 root  root  4096  4. Aug 00:00 ..
-rw-r--r--   1 root  root   192 19. Nov 2009  127.0.0.zone
drwxr-xr-x   2 root  root  4096  4. Aug 01:43 dev
drwxr-xr-x   2 named named 4096 11. Mär 11:47 dyn
drwxr-xr-x   4 root  root  4096  4. Aug 10:14 etc
drwxr-xr-x   2 named root  4096  4. Aug 11:03 keys
drwxr-xr-x   3 root  root  4096  2. Aug 23:09 lib64
-rw-r--r--   1 root  root   182 19. Nov 2009  localhost.zone
drwxr-xr-x   2 named named 4096  4. Aug 01:00 log
drwxr-xr-x   2 root  root  4096  3. Aug 23:34 master
dr-xr-xr-x 220 root  root     0  2. Aug 10:33 proc
-rw-r--r--   1 root  root  3048 11. Mär 11:47 root.hint
drwxr-xr-x   2 named named 4096 11. Mär 11:47 slave
drwxr-xr-x   4 named root  4096  2. Aug 13:47 var

> Stupid question: are the zones for the other keys actually signed?

yes

> > Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
> > means.
> 
> It means named is checking for any key changes.

Thank you!

  Andreas