We're prototyping dnssec with bind 9.7.1, and ran into a strange issue where it looks like bind is trying to automatically resign non-dynamic zones when the signatures are going to expire.
Our zones are signed by an external process, and all bind is supposed to do is serve them 8-/. Zones are signed whenever contents change, or at least monthly to prevent the signatures from expiring. One of the zones hadn't been changed all month so far, and the signatures were only valid for 7 more days, when suddenly these errors popped up in the logs: Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/19218: file not found Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/10476: file not found Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/60885: file not found Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/60649: file not found Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/18097: file not found Aug 28 10:33:37 atlas named[4001]: /var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external: zone_resigninc:dns_journal_open -> unexpected error Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external: sending notifies (serial 2010080101) Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/19218: file not found Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/10476: file not found Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/60885: file not found Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/60649: file not found Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading private key file calpolypomona.org/RSASHA256/18097: file not found Aug 28 10:33:53 atlas named[4001]: /var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external: zone_resigninc:dns_journal_open -> unexpected error Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external: sending notifies (serial 2010080102) [...] Aug 28 10:35:14 atlas named[4001]: zone calpolypomona.org/IN/external: setting keywarntime to 1283664914 - 7 days It seems like it noticed there were only 7 days of signature validity left, and decided it would just go ahead and resign. The zones are *not* dynamic, the bind service account (as demonstrated by the permission denied errors) doesn't even have write permission on the directories in which the zone files are stored. The authoritative serial in the file on disk is 2010080100, yet it started bumping the serial on the zone in memory higher (and passing that on to the secondaries, which would have broken any actual updates that might have been performed). >From reviewing the manual, this behavior should only occur if the zones are dynamic, *and* auto-dnssec in enabled, neither is true. Bug? Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
