bind keyfile lookup failures
Mark Andrews
marka at isc.org
Thu Jan 10 01:01:17 UTC 2019
named is looking for K files that match the DNSKEY records in the zone and
is not finding them. Removing K files too early or having them in the
wrong place will produce these errors.
You can work out which DNSKEY record matches the number with dig +rrcomments
or dig +multiline.
[beetle:~/git/bind9] marka% dig dnskey peak.org +rrcomments
;; BADCOOKIE, retrying.
; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> dnskey peak.org +rrcomments
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27925
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d9ccfea7edcf3893dc6b20b05c3698e5ea5375c4420dabcd (good)
;; QUESTION SECTION:
;peak.org. IN DNSKEY
;; ANSWER SECTION:
peak.org. 990 IN DNSKEY 256 3 5 AwEAAb+fxFIFX6ri0O8YcUqcOtCzbSejewqFW5o0L8ZyB4UXI3Waea9T 5wAL3OOv6SULCxcrozA7F8dib6yFWgEwlO2dLeLZNUDCjyEs7lzhu9+h 5UWaJZoJrxSymF+HrAZ9sB4sRpwbU5vIl5Zvl6r5zKSf26nPcFFlc9L5 61AswZqx ; ZSK; alg = RSASHA1 ; key id = 21393
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 10 11:59:17 AEDT 2019
;; MSG SIZE rcvd: 213
[beetle:~/git/bind9] marka%
[beetle:~/git/bind9] marka% dig dnskey peak.org +multiline
;; BADCOOKIE, retrying.
; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> dnskey peak.org +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36765
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ac451069fdac7683019eb3885c3698fbf1fdbf31af279f14 (good)
;; QUESTION SECTION:
;peak.org. IN DNSKEY
;; ANSWER SECTION:
peak.org. 968 IN DNSKEY 256 3 5 (
AwEAAb+fxFIFX6ri0O8YcUqcOtCzbSejewqFW5o0L8Zy
B4UXI3Waea9T5wAL3OOv6SULCxcrozA7F8dib6yFWgEw
lO2dLeLZNUDCjyEs7lzhu9+h5UWaJZoJrxSymF+HrAZ9
sB4sRpwbU5vIl5Zvl6r5zKSf26nPcFFlc9L561AswZqx
) ; ZSK; alg = RSASHA1 ; key id = 21393
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 10 11:59:39 AEDT 2019
;; MSG SIZE rcvd: 213
[beetle:~/git/bind9] marka%
> On 10 Jan 2019, at 8:37 am, Alan Batie <alan at peak.org> wrote:
>
> I've had bind 9.9.4 doing dnssec for a few years now. All the zones are
> configured with:
>
> key-directory "/var/named/keys";
> auto-dnssec maintain;
> inline-signing yes;
>
> I just added a bunch of zones, and 8 of them are failing with:
>
> dns_dnssec_findzonekeys2: error reading private key file
> <ZONE>/RSASHA1/27456: file not found
>
> I did an strace and find that when it looks for
>
> K<ZONE>.+008+<NUMBER>.private
>
> it's looking for a different <NUMBER>
>
> I've re-run dnssec-keygen and rndc sign on the zones, but that doesn't
> fix things. I'm not sure what is going on or how to fix it...
>
> The main impact is filling up the log file - these zones aren't tied
> into the root chain yet, but I'd like to get it fixed...
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list