Thanks, but that is not my problem. the error message you are getting at leasts give a hint:
Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign failure My error says: 13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': prerequisites are OK 13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: signer "update.test.net" approved 13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: update 'test.net/IN' approved 13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': update section prescan OK 13-May-2009 22:04:59.662 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': adding an RR at 'blarney.test.net' A 13-May-2009 22:04:59.665 client 127.0.0.1#4638: view external: updating zone 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure "failure" that's it. I am still having this problem. It is intermittent. one update will work. than another update for the very same zone, using the very same key, will fail. It works fine if I remove the signed zone. I have tried removing from the chroot jail, in case I had an error in the setup there and it makes no difference. the failure seems to be coming from dns_dnssec_sign, but it is just returning ISC_R_FAILURE . When I step through the code with the debug, it seems to work everytime (naturally) I am really scratching my head. -- Jack Tavares ________________________________________ From: Alexa Petrean [apetr...@bluecatnetworks.com] Sent: Wednesday, May 13, 2009 17:50 To: Jack Tavares Cc: bind-users@lists.isc.org Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1. The dynamic records weren't added to a master zone signed with DSA keys - the journal file doesn't get created at all, just similar messages logged in syslog: Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign failure The solution was to sign every dynamic zone with RSASHA1 keys only. Alex -----Original Message----- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares Sent: Wednesday, May 13, 2009 4:03 AM To: unlisted-recipients Cc: bind-users@lists.isc.org Subject: RE: error while attempting to use nsupdate on a DNSSEC signed zone yes. And I when I previously failed to specify the correct key-directory, I got an error "found no private keys, unable to generate any signatures" I corrected that error and now get the "failure" message everything is owned by named . options { dnssec-enable yes; dnssec-validation yes; key-directory "/config/namedb"; -- Jack Tavares ________________________________________ From: mark_andr...@isc.org [mark_andr...@isc.org] Sent: Wednesday, May 13, 2009 10:38 To: Jack Tavares Cc: bind-users@lists.isc.org Subject: Re: error while attempting to use nsupdate on a DNSSEC signed zone In message <4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com > Hello - > > (bind9.6.0-P1) > > I have set up a zone that is signed. > It is an island of security zone for testing purposes. > > I have set up a TSIG key and set the allow-update > to accept the key. > > I have followed every step, afaict, in the various > how-tos on how to sign a zone. > > But when I try to do an update, I get an error. > > All the error says is > signer "update.test.net" approved > 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: updating zon= > e 'test.net/IN': adding an RR at 'blah.test.net' A > 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: updating zon= > e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure > "failure" is all it says for a reason. > > I looked at the bind source, and there are some more useful error messages = > about keys etc. > But all I am getting is "failure". > > If i do the same nsupdate without DNSSEC, it works. > It appears there is something wrong with my setup and the regeneration of t= > he RRSIG/NSEC > keys is failing. (I have tried it with both NSEC and NSEC3 keys) > > I will put together a (simpler) named.conf and zone file that causes this a= > nd post that info, > but I was hoping that maybe somebody has seen this and has an idea. > > Thanks > > > -- > Jack Tavares Have you told named where the private keys are (key-directory)? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
