Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

dnssec-signzone error after updating to 9.6.2-P1

373 views
Skip to first unread message

chris liesfield

unread,
Mar 29, 2010, 9:39:58 PM3/29/10
to bind-...@lists.isc.org
Seeing this after upgrading to 9.6.2-P1.
 
We've made no other changes to the host or any configuration files, etc.
 
/var/named # dnssec-signzone  -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au
dnssec-signzone: fatal: no self signed KSK's found
 
No idea what's going on here and we need advice on how to go about fixing it ASAP.
 
Thanks.
 
Chris.

Nate Itkin

unread,
Mar 29, 2010, 10:15:45 PM3/29/10
to chris liesfield


9.6.2-P1 has worked ok for me [so far]. Two ideas that might yield more
info for us to look at (increase v level as needed, but start with 1):

named-checkzone xxx.xxx.gov.au db.xxx.xxx.gov.au
dnssec-signzone -g -v 1 -o xxx.xxx.gov.au db.xxx.xxx.gov.au

Nate Itkin

Nate Itkin

unread,
Mar 29, 2010, 11:40:23 PM3/29/10
to bind-...@lists.isc.org
On Tue, Mar 30, 2010 at 01:50:23PM +1100, chris liesfield wrote:
> Here's the output ...
> /var/named # named-checkzone sro.vic.gov.au db.sro.vic.gov.au
> zone sro.vic.gov.au/IN: loaded serial 2010033001
> OK
>
> I chose level 7 debugging to yield as much information as possible, so sorry
> for the size ...
> /var/named # dnssec-signzone -z -v 7 -g -o xxx.xxx.xxx.au db.xxx.xxx.xxx.au
> dnssec-signzone: using 2 cpus
> dnssec-signzone: debug 1: decrement_reference: delete from rbt: 81f2688
[ snip.. ]


Is there a key signing key (KSK) in the zone file? db.xxx.xxx.xxx.au should
have an entry something like this:
$include Kxxx.xxx.xxx.au.+007+12345.key ; KSK

Does that file (Kxxx.xxx.xxx.au.+007+12345.key) and its corresponding
private key (Kxxx.xxx.xxx.au.+007+12345.private) exist with read permission on?

Also, how are you specifying which key is the KSK (typically the -k option
with dnssec-signzone)?

I can replicate your symptoms and the error message by removing the KSK from
a zone file.

Nate Itkin

Evan Hunt

unread,
Mar 30, 2010, 1:53:59 AM3/30/10
to chris liesfield, bind-...@lists.isc.org
> Seeing this after upgrading to 9.6.2-P1.
>
> We've made no other changes to the host or any configuration files, etc.
>
> /var/named # dnssec-signzone -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au
> dnssec-signzone: fatal: no self signed KSK's found

When dnssec-signzone has finished signing, it checks the zone for validity.
In this case, it found that the DNSKEY RRset didn't have any signatures
from a key-signing key. This may be due to such a key not existing, or
its private file being inaccessible.

Older versions of dnssec-signzone didn't check for this; that's why
it never appeared to be a problem until now.

Note that sometimes it *isn't* a problem--for example, when you're
signing a zone in two phases, once with a ZSK and later with a KSK. If
that's what's going on in your case, add the -P flag (for "partial") to
dnssec-signzone; that will suppress the validity check.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

0 new messages