https://kb.isc.org/article/AA-00320/0/Why-cant-named-update-slave-zone-database-files-slave-journal-files-and-master-zones-from-journals-.html
In message <1497474665849-3948.p...@n4.nabble.com>, Latitude writes: > Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2 > handy but thank you for sending the link to your article and pointing me out > to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone > RRSIGs can refresh automatically. > > A zone that was signed with a sigvalidity period to be refreshed every 7 > days is not being refreshed and I'm trying to troubleshoot. I've given the > zone statement the *auto-dnssec maintain;* and *update-policy local;* > statements as described, and I'm getting the error below repeatedly in my > /var/log/message feed: > > *info: zone <zone name>/IN: reconfiguring zone keys > <zone name>.jnl: create: permission denied > named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone <zone name>/IN: > zone_rekey:dns_journal_open -> unexpected error* > > The user *named* has the rwx permissions on the directory containing the > source zone file and the DNSSEC-signed zone file <zone-name>.signed. This > installation is BIND chrooted so the absolute path is > */var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in > this directory (*/var/named/chroot/var/named/*) and failing to due so? If > so, I don't see why it's having an issue because user:group ownership of the > /var/named/chroot/var/named directory is named:named and permissions are set > to 750 on it. I believe this could be the clue to why my zone RRSIG isn't > being refreshed. A lot of Google searching for this error hasn't yielded > anything to help my situation either. Thank you in advance for any input. > > Below are my named.conf and zone statement file excerpts for reference: > > named.conf file DNSSEC options: > > // DNSSEC options > dnssec-enable yes; > dnssec-validation yes; > dnssec-lookaside auto; > sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM, > Chapter 6 > key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC > keys > > //Zone statement > zone "<zone-name>" { > type master; > update-policy local; > file "db.<zone-name>.signed"; > auto-dnssec maintain; > allow-query { any; }; > allow-transfer { xfers; }; > }; > > > > > -- > View this message in context: > http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html > Sent from the Bind-Users forum mailing list archive at Nabble.com. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users