Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-27 Thread Matthijs Mekking
On 26-10-2022 20:21, PGNet Dev wrote: hi, If there are currently no keys that we have to check the DS for, then you may still see this log line. all my zones have now toggled rumoured -> omnipresent.  i took no explicit manual action other than letting an arbitrarily long-ish time pass.

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-26 Thread PGNet Dev
hi, If there are currently no keys that we have to check the DS for, then you may still see this log line. all my zones have now toggled rumoured -> omnipresent. i took no explicit manual action other than letting an arbitrarily long-ish time pass. it just happened ... eventually. re:

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-16 Thread PGNet Dev
is there a way to determine what data is being attempted to write to which file/location on disk? or, generally, any more detail about what "error occurred" ? It will be attempting to write into the key-directory for the zone as defined by named.conf. It will be creating a new file and then

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-16 Thread Mark Andrews
> On 17 Oct 2022, at 12:13, PGNet Dev wrote: > >> In addition to what Matthijs said, please make sure that all path components >> in /data/chroot/named/keys/dnssec/example.com/ need to >> have correct permissions, >> this is easy to get wrong. I've burnt on this too many

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-16 Thread PGNet Dev
In addition to what Matthijs said, please make sure that all path components in /data/chroot/named/keys/dnssec/example.com/  need to have correct permissions, this is easy to get wrong. I've burnt on this too many times. Easiest way how to test is switching to the user that

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
Which parental-agent to use is up to you. Something you trust. for the moment, let's say 1.1.1.1 But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. i added zone "example.com" IN { type master; file

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Matthijs Mekking
Which parental-agent to use is up to you. Something you trust. You can also configure multiple, if so then all parental agents will perform the DS check and only if all parental agents agree (have seen the DS), BIND will set the DS as "seen published in the parent" and the rollover will

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
This is a log level bug. This log happens when BIND want to check the parental-agents if the DS has been published. But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. Thanks for reporting, this will be fixed in the next release,

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Ondřej Surý
In addition to what Matthijs said, please make sure that all path components in /data/chroot/named/keys/dnssec/example.com/ need to have correct permissions, this is easy to get wrong. I've burnt on this too many times. Easiest way how to test is switching to the user that

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Matthijs Mekking
Hi, This is a log level bug. This log happens when BIND want to check the parental-agents if the DS has been published. But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result. Thanks for reporting, this will be fixed in the next

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
hi Think ownership, permission and things like SELinux, AppArmore depending on your OS. on this box, no SELinux or AppArmor in my named.conf directory "/namedb/production"; and for my domain's dnssec key-directory "/keys/dnssec/example.com"; pathnames are relative to

Re: new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread Sandro
On 14-10-2022 15:26, PGNet Dev wrote: zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; dnssec-policy "pgnd"; key-directory "/keys/dnssec/example.com"; update-policy { grant pgnd-external-rndc-key

new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

2022-10-14 Thread PGNet Dev
i run, named -v BIND 9.18.7 (Stable Release) i've setup dnssec-policy operation for a number of domain. keys are all generated, KSK-derived DS Records are pushed to registrar->root, and all DNSSEC-analyzer tools online report all's good. i can see no functional