bind keyfile lookup failures

Mark Andrews marka at isc.org
Thu Jan 10 01:01:17 UTC 2019


named is looking for K files that match the DNSKEY records in the zone and
is not finding them.  Removing K files too early or having them in the
wrong place will produce these errors.

You can work out which DNSKEY record matches the number with dig +rrcomments
or dig +multiline.

[beetle:~/git/bind9] marka% dig dnskey peak.org +rrcomments
;; BADCOOKIE, retrying.

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> dnskey peak.org +rrcomments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27925
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d9ccfea7edcf3893dc6b20b05c3698e5ea5375c4420dabcd (good)
;; QUESTION SECTION:
;peak.org.			IN	DNSKEY

;; ANSWER SECTION:
peak.org.		990	IN	DNSKEY	256 3 5 AwEAAb+fxFIFX6ri0O8YcUqcOtCzbSejewqFW5o0L8ZyB4UXI3Waea9T 5wAL3OOv6SULCxcrozA7F8dib6yFWgEwlO2dLeLZNUDCjyEs7lzhu9+h 5UWaJZoJrxSymF+HrAZ9sB4sRpwbU5vIl5Zvl6r5zKSf26nPcFFlc9L5 61AswZqx  ; ZSK; alg = RSASHA1 ; key id = 21393

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 10 11:59:17 AEDT 2019
;; MSG SIZE  rcvd: 213

[beetle:~/git/bind9] marka% 

[beetle:~/git/bind9] marka% dig dnskey peak.org +multiline
;; BADCOOKIE, retrying.

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> dnskey peak.org +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36765
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ac451069fdac7683019eb3885c3698fbf1fdbf31af279f14 (good)
;; QUESTION SECTION:
;peak.org.		IN DNSKEY

;; ANSWER SECTION:
peak.org.		968 IN DNSKEY 256 3 5 (
				AwEAAb+fxFIFX6ri0O8YcUqcOtCzbSejewqFW5o0L8Zy
				B4UXI3Waea9T5wAL3OOv6SULCxcrozA7F8dib6yFWgEw
				lO2dLeLZNUDCjyEs7lzhu9+h5UWaJZoJrxSymF+HrAZ9
				sB4sRpwbU5vIl5Zvl6r5zKSf26nPcFFlc9L561AswZqx
				) ; ZSK; alg = RSASHA1 ; key id = 21393

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 10 11:59:39 AEDT 2019
;; MSG SIZE  rcvd: 213

[beetle:~/git/bind9] marka% 

> On 10 Jan 2019, at 8:37 am, Alan Batie <alan at peak.org> wrote:
> 
> I've had bind 9.9.4 doing dnssec for a few years now.  All the zones are
> configured with:
> 
>        key-directory "/var/named/keys";
>        auto-dnssec maintain;
>        inline-signing yes;
> 
> I just added a bunch of zones, and 8 of them are failing with:
> 
> dns_dnssec_findzonekeys2: error reading private key file
> <ZONE>/RSASHA1/27456: file not found
> 
> I did an strace and find that when it looks for
> 
> K<ZONE>.+008+<NUMBER>.private
> 
> it's looking for a different <NUMBER>
> 
> I've re-run dnssec-keygen and rndc sign on the zones, but that doesn't
> fix things.  I'm not sure what is going on or how to fix it...
> 
> The main impact is filling up the log file - these zones aren't tied
> into the root chain yet, but I'd like to get it fixed...
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list