In message <e8c06f8fb84e4c41b5f770a71b8ce75005c7c...@apollo.bluecatnetworks.cor p>, "Alexa Petrean" writes: > > I've encountered a similar issue when using DSA keys with BIND 9.5.1-P1. > The dynamic records weren't added to a master zone signed with DSA keys > - the journal file doesn't get created at all, just similar messages > logged in syslog: > > Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view > default4: updating zone 'fred.com/IN': adding an RR at 'h2.fred.com' A > Mar 19 11:53:23 new named[28753]: client 172.20.210.4#38722: view > default4: updating zone 'fred.com/IN': RRSIG/NSEC update failed: sign > failure > > The solution was to sign every dynamic zone with RSASHA1 keys only. > > Alex
DSA requires a good random number generator to be available to named. RSA only required a good random number generator at key creation time. > -----Original Message----- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jack Tavares > Sent: Wednesday, May 13, 2009 4:03 AM > To: unlisted-recipients > Cc: bind-users@lists.isc.org > Subject: RE: error while attempting to use nsupdate on a DNSSEC signed > zone > > yes. > And I when I previously failed to specify the correct key-directory, I > got an error > "found no private keys, unable to generate any signatures" > > I corrected that error and now get the "failure" message > > everything is owned by named . > > > options { > dnssec-enable yes; > dnssec-validation yes; > key-directory "/config/namedb"; > > -- > Jack Tavares > ________________________________________ > From: mark_andr...@isc.org [mark_andr...@isc.org] > Sent: Wednesday, May 13, 2009 10:38 > To: Jack Tavares > Cc: bind-users@lists.isc.org > Subject: Re: error while attempting to use nsupdate on a DNSSEC signed > zone > > In message > <4b18a8f75a6384449755bc7784073e93603b776...@exch11.olympus.f5net.com > > Hello - > > > > (bind9.6.0-P1) > > > > I have set up a zone that is signed. > > It is an island of security zone for testing purposes. > > > > I have set up a TSIG key and set the allow-update > > to accept the key. > > > > I have followed every step, afaict, in the various > > how-tos on how to sign a zone. > > > > But when I try to do an update, I get an error. > > > > All the error says is > > signer "update.test.net" approved > > 13-May-2009 14:16:37.947 client 127.0.0.1#2490: view external: > updating zon= > > e 'test.net/IN': adding an RR at 'blah.test.net' A > > 13-May-2009 14:16:37.953 client 127.0.0.1#2490: view external: > updating zon= > > e 'test.net/IN': RRSIG/NSEC/NSEC3 update failed: failure > > "failure" is all it says for a reason. > > > > I looked at the bind source, and there are some more useful error > messages = > > about keys etc. > > But all I am getting is "failure". > > > > If i do the same nsupdate without DNSSEC, it works. > > It appears there is something wrong with my setup and the regeneration > of t= > > he RRSIG/NSEC > > keys is failing. (I have tried it with both NSEC and NSEC3 keys) > > > > I will put together a (simpler) named.conf and zone file that causes > this a= > > nd post that info, > > but I was hoping that maybe somebody has seen this and has an idea. > > > > Thanks > > > > > > -- > > Jack Tavares > > Have you told named where the private keys are (key-directory)? > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users