DNSSEC and nsupdate

Mark Andrews marka at isc.org
Sat Feb 24 22:43:27 UTC 2018

Are you running chrooted? Did you make the keys visible in the chroot area?

> On 25 Feb 2018, at 2:37 am, Prof. Dr. Michael Schefczyk <michael at schefczyk.net> wrote:
> Dear All,
> For a long time already, I am using a bind master DNS server based on debian set up via webmin. It is currently Debian Stretch with bind 9.10. I am using DNSSEC.
> The  webmin setup leads to all keys being stored in /var/lib/bind. The naming scheme is K[fqdn]+number+keyid.key or .private. There is one key-signing key and one zone-signing key for each fqdn. Resigning works via a perl srcipt / cronjob shipped by webmin.
> To be able to generate future letsencrypt wildcard certificates, I would like to implant acme challenges as TXT records via DNS. Using nsupdate, the dnssec signing becomes troublesome. The error message in update_debug.log is:
> Date/Time info: client IP#36210/key nsupdate: updating zone 'fqdn/IN': adding an RR at '_acme-challenge.fqdn' TXT "..."
> Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': found no active private keys, unable to generate any signatures
> Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': RRSIG/NSEC/NSEC3 update failed: not found
> Looking further, bind.log shows:
> Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private key file fqdn/ECDSAP384SHA384/41844: file not found
> Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private key file fqdn/ECDSAP384SHA384/55203: file not found
> The numbers 41844 and 55203 are the very key IDs for which keys do exist in the traditional K... format /var/lib/bind. Of course, /var/lib/bind is also set as the key directory. The keys are certainly readable without permissions problems. The error does not go away even if you make them 777.
> Please inform me what the issue is and what to do. Is there a change in the key naming scheme? How would the new names look like? I can certainly create one directory per fqdn under /var/lib/bind/ and then one subdirectory ECDSAP384SHA384 but what would be the (two?) files in 41844 and 55203? Is there a way to convert?
> Thank you very much for your efforts!
> Michael Schefczyk
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list