info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
named is not finding the keys for DNSSEC
1,619 views
Skip to first unread message
Andreas Meyer
Aug 3, 2016, 12:33:09 PM8/3/16
to bind-...@lists.isc.org
Hello!
Just subscribed to the list. I wanted to implement DNSSEC
with bind but have not luck with this one.
When named starts it says it can't read the private keys.
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
The keyfolder looks like this:
-rw-r--r-- 1 root root 433 3. Aug 17:32 Kbitcorner.de.+005+16938.key
-rw------- 1 root root 1010 3. Aug 17:32 Kbitcorner.de.+005+16938.private
-rw-r--r-- 1 root root 607 3. Aug 17:33 Kbitcorner.de.+005+20464.key
-rw------- 1 root root 1774 3. Aug 17:33 Kbitcorner.de.+005+20464.private
-rw-r--r-- 1 named named 728 3. Aug 17:39 managed-keys.bind
-rw-r--r-- 1 named named 512 3. Aug 17:39 managed-keys.bind.jnl
# ps aux |grep named
named 1458 0.0 1.1 186264 23896 ? Ssl 17:38 0:00 /usr/sbin/named -u named
Signing of a domain fails:
# dnssec-signzone -K /var/lib/named/keys -e +3024000 -N INCREMENT master/bitcorner.de.zone
dnssec-signzone: fatal: No signing keys specified or found.
I'm confused. Why does named look for a key bitcorner.de/RSASHA1/16938 althoug it is
named Kbitcorner.de.+005+16938.private ?
I took named out of the chroot but that changes nothing.
Glad about every hint!
Andreas
Just subscribed to the list. I wanted to implement DNSSEC
with bind but have not luck with this one.
When named starts it says it can't read the private keys.
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
The keyfolder looks like this:
-rw-r--r-- 1 root root 433 3. Aug 17:32 Kbitcorner.de.+005+16938.key
-rw------- 1 root root 1010 3. Aug 17:32 Kbitcorner.de.+005+16938.private
-rw-r--r-- 1 root root 607 3. Aug 17:33 Kbitcorner.de.+005+20464.key
-rw------- 1 root root 1774 3. Aug 17:33 Kbitcorner.de.+005+20464.private
-rw-r--r-- 1 named named 728 3. Aug 17:39 managed-keys.bind
-rw-r--r-- 1 named named 512 3. Aug 17:39 managed-keys.bind.jnl
# ps aux |grep named
named 1458 0.0 1.1 186264 23896 ? Ssl 17:38 0:00 /usr/sbin/named -u named
Signing of a domain fails:
# dnssec-signzone -K /var/lib/named/keys -e +3024000 -N INCREMENT master/bitcorner.de.zone
dnssec-signzone: fatal: No signing keys specified or found.
I'm confused. Why does named look for a key bitcorner.de/RSASHA1/16938 althoug it is
named Kbitcorner.de.+005+16938.private ?
I took named out of the chroot but that changes nothing.
Glad about every hint!
Andreas
Volker Janzen
Aug 3, 2016, 1:58:57 PM8/3/16
to Andreas Meyer, bind-...@lists.isc.org
Hi,
you need to 'chown named' the keyfiles. The bind process is unable to read the files belonging to root.
Regards
Volker
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
you need to 'chown named' the keyfiles. The bind process is unable to read the files belonging to root.
Regards
Volker
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Andreas Meyer
Aug 3, 2016, 6:23:13 PM8/3/16
to bind-...@lists.isc.org
Hello!
That makes no difference.
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
I think it must have something to do with the name itself, could it be?
The key is named Kbitcorner.de.+005+16938.private but named is looking for
a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
There are also other private keys in the keysfolder but named complains
about these two private keys only. All privates have permissions -rw-------
Aug 4 00:09:22 bitmachine1 named[8460]: running
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: sending notifies (serial 2016080306)
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: reconfiguring zone keys
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: next key event: 04-Aug-2016 01:09:22.432
Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
means.
Meanwhile I was able to sign the zones, the error remains.
Greetings
Andreas
Volker Janzen <vol...@janzen.onl> schrieb am 03.08.16 um 17:58:46 Uhr:
That makes no difference.
dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
The key is named Kbitcorner.de.+005+16938.private but named is looking for
a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
There are also other private keys in the keysfolder but named complains
about these two private keys only. All privates have permissions -rw-------
Aug 4 00:09:22 bitmachine1 named[8460]: running
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: sending notifies (serial 2016080306)
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: reconfiguring zone keys
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/20464: file not found
Aug 4 00:09:22 bitmachine1 named[8460]: zone bitcorner.de/IN: next key event: 04-Aug-2016 01:09:22.432
Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
means.
Meanwhile I was able to sign the zones, the error remains.
Greetings
Andreas
Volker Janzen <vol...@janzen.onl> schrieb am 03.08.16 um 17:58:46 Uhr:
Tony Finch
Aug 4, 2016, 4:21:58 AM8/4/16
to Andreas Meyer, bind-...@lists.isc.org
Andreas Meyer <a.m...@nimmini.de> wrote:
>
> dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
>
> I think it must have something to do with the name itself, could it be?
>
> The key is named Kbitcorner.de.+005+16938.private but named is looking for
> a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
The error message refers to the key ID rather than the filename - in more
>
> dns_dnssec_keylistfromrdataset: error reading private key file bitcorner.de/RSASHA1/16938: file not found
>
> I think it must have something to do with the name itself, could it be?
>
> The key is named Kbitcorner.de.+005+16938.private but named is looking for
> a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
recent versions it has been clarified to use the actual filename.
> There are also other private keys in the keysfolder but named complains
> about these two private keys only. All privates have permissions -rw-------
seem to have that under control.
Are you chrooting named, and if so, does your inside-chroot and
outside-chroot match?
Stupid question: are the zones for the other keys actually signed?
It means named is checking for any key changes.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Faeroes: North 4 or 5, becoming variable 3 later. Moderate, occasionally rough
at first in southeast. Showers. Good.
Andreas Meyer
Aug 4, 2016, 5:28:15 AM8/4/16
to bind-...@lists.isc.org
Hello!
Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> > The key is named Kbitcorner.de.+005+16938.private but named is looking for
> > a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
>
> The error message refers to the key ID rather than the filename - in more
> recent versions it has been clarified to use the actual filename.
Is it possible to look for the filename without upgrading bind or is
there a fix for this?
> > There are also other private keys in the keysfolder but named complains
> > about these two private keys only. All privates have permissions -rw-------
>
> The error suggests to me that you have a key-directory mismatch, but you
> seem to have that under control.
hm, after I added
update-policy local;
auto-dnssec maintain;
to another signed zone, bind complains for this one too not finding
the keys.
> Are you chrooting named, and if so, does your inside-chroot and
> outside-chroot match?
Good question. The structure looks like this:
bitmachine1:/var/lib/named/var # ls -al
insgesamt 16
drwxr-xr-x 4 named root 4096 2. Aug 13:47 .
drwxr-xr-x 12 root root 4096 3. Aug 17:32 ..
drwxr-xr-x 2 root root 4096 2. Aug 13:47 lib
lrwxrwxrwx 1 root root 6 2. Aug 13:47 log -> ../log
drwxr-xr-x 3 named root 4096 2. Aug 13:47 run
and like this:
bitmachine1:/var/lib/named/var/lib/named # ls -al
insgesamt 56
drwxr-xr-x 12 root root 4096 3. Aug 17:32 .
drwxr-xr-x 46 root root 4096 4. Aug 00:00 ..
-rw-r--r-- 1 root root 192 19. Nov 2009 127.0.0.zone
drwxr-xr-x 2 root root 4096 4. Aug 01:43 dev
drwxr-xr-x 2 named named 4096 11. Mär 11:47 dyn
drwxr-xr-x 4 root root 4096 4. Aug 10:14 etc
drwxr-xr-x 2 named root 4096 4. Aug 11:03 keys
drwxr-xr-x 3 root root 4096 2. Aug 23:09 lib64
-rw-r--r-- 1 root root 182 19. Nov 2009 localhost.zone
drwxr-xr-x 2 named named 4096 4. Aug 01:00 log
drwxr-xr-x 2 root root 4096 3. Aug 23:34 master
dr-xr-xr-x 220 root root 0 2. Aug 10:33 proc
-rw-r--r-- 1 root root 3048 11. Mär 11:47 root.hint
drwxr-xr-x 2 named named 4096 11. Mär 11:47 slave
drwxr-xr-x 4 named root 4096 2. Aug 13:47 var
> Stupid question: are the zones for the other keys actually signed?
yes
> > Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
> > means.
>
> It means named is checking for any key changes.
Thank you!
Andreas
Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> > The key is named Kbitcorner.de.+005+16938.private but named is looking for
> > a key named bitcorner.de/RSASHA1/16938 or is it just substituting?
>
> The error message refers to the key ID rather than the filename - in more
> recent versions it has been clarified to use the actual filename.
there a fix for this?
> > There are also other private keys in the keysfolder but named complains
> > about these two private keys only. All privates have permissions -rw-------
>
> The error suggests to me that you have a key-directory mismatch, but you
> seem to have that under control.
update-policy local;
auto-dnssec maintain;
to another signed zone, bind complains for this one too not finding
the keys.
> Are you chrooting named, and if so, does your inside-chroot and
> outside-chroot match?
bitmachine1:/var/lib/named/var # ls -al
insgesamt 16
drwxr-xr-x 4 named root 4096 2. Aug 13:47 .
drwxr-xr-x 12 root root 4096 3. Aug 17:32 ..
drwxr-xr-x 2 root root 4096 2. Aug 13:47 lib
lrwxrwxrwx 1 root root 6 2. Aug 13:47 log -> ../log
drwxr-xr-x 3 named root 4096 2. Aug 13:47 run
and like this:
bitmachine1:/var/lib/named/var/lib/named # ls -al
insgesamt 56
drwxr-xr-x 12 root root 4096 3. Aug 17:32 .
drwxr-xr-x 46 root root 4096 4. Aug 00:00 ..
-rw-r--r-- 1 root root 192 19. Nov 2009 127.0.0.zone
drwxr-xr-x 2 root root 4096 4. Aug 01:43 dev
drwxr-xr-x 2 named named 4096 11. Mär 11:47 dyn
drwxr-xr-x 4 root root 4096 4. Aug 10:14 etc
drwxr-xr-x 2 named root 4096 4. Aug 11:03 keys
drwxr-xr-x 3 root root 4096 2. Aug 23:09 lib64
-rw-r--r-- 1 root root 182 19. Nov 2009 localhost.zone
drwxr-xr-x 2 named named 4096 4. Aug 01:00 log
drwxr-xr-x 2 root root 4096 3. Aug 23:34 master
dr-xr-xr-x 220 root root 0 2. Aug 10:33 proc
-rw-r--r-- 1 root root 3048 11. Mär 11:47 root.hint
drwxr-xr-x 2 named named 4096 11. Mär 11:47 slave
drwxr-xr-x 4 named root 4096 2. Aug 13:47 var
> Stupid question: are the zones for the other keys actually signed?
> > Also I don't understand what zone bitcorner.de/IN: reconfiguring zone keys
> > means.
>
> It means named is checking for any key changes.
Andreas
Tony Finch
Aug 4, 2016, 6:11:30 AM8/4/16
to Andreas Meyer, bind-...@lists.isc.org
Andreas Meyer <a.m...@nimmini.de> wrote:
> Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> >
> Tony Finch <d...@dotat.at> schrieb am 04.08.16 um 09:21:36 Uhr:
> >
> > The error message refers to the key ID rather than the filename - in more
> > recent versions it has been clarified to use the actual filename.
>
> Is it possible to look for the filename without upgrading bind or is
> there a fix for this?
There isn't much debug logging in this area so you probably have to use
> > recent versions it has been clarified to use the actual filename.
>
> Is it possible to look for the filename without upgrading bind or is
> there a fix for this?
something like truss or strace.
> > > There are also other private keys in the keysfolder but named complains
> > > about these two private keys only. All privates have permissions -rw-------
> >
> > The error suggests to me that you have a key-directory mismatch, but you
> > seem to have that under control.
>
> hm, after I added
>
> update-policy local;
> auto-dnssec maintain;
>
> to another signed zone, bind complains for this one too not finding
> the keys.
automatically with named.
(I thought your other error-free zones were being signed by named, so in
those cases it was successfully loading the keys. But if named isn't
signing those zones it isn't trying to load their keys, so the lack of
errors does not tell us anything about the erroneous zone.)
So maybe you don't have key-directory under control after all :-) You
should double check that named is looking in the right place.
Tyne, Dogger, Fisher, German Bight, Humber: Southwesterly, becoming cyclonic
in north Fisher, 5 to 7, veering westerly or northwesterly 5 or 6 later.
Moderate or rough, becoming slight or moderate. Showers. Good.
0 new messages