DNSSEC and nsupdate

Prof. Dr. Michael Schefczyk Sat, 24 Feb 2018 07:38:08 -0800

Dear All,

For a long time already, I am using a bind master DNS server based on debian 
set up via webmin. It is currently Debian Stretch with bind 9.10. I am using 
DNSSEC.


The  webmin setup leads to all keys being stored in /var/lib/bind. The naming 
scheme is K[fqdn]+number+keyid.key or .private. There is one key-signing key 
and one zone-signing key for each fqdn. Resigning works via a perl srcipt / 
cronjob shipped by webmin.

To be able to generate future letsencrypt wildcard certificates, I would like 
to implant acme challenges as TXT records via DNS. Using nsupdate, the dnssec 
signing becomes troublesome. The error message in update_debug.log is:

Date/Time info: client IP#36210/key nsupdate: updating zone 'fqdn/IN': adding 
an RR at '_acme-challenge.fqdn' TXT "..."
Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': found 
no active private keys, unable to generate any signatures
Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': 
RRSIG/NSEC/NSEC3 update failed: not found

Looking further, bind.log shows:
Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private key 
file fqdn/ECDSAP384SHA384/41844: file not found
Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private key 
file fqdn/ECDSAP384SHA384/55203: file not found

The numbers 41844 and 55203 are the very key IDs for which keys do exist in the 
traditional K... format /var/lib/bind. Of course, /var/lib/bind is also set as 
the key directory. The keys are certainly readable without permissions 
problems. The error does not go away even if you make them 777.

Please inform me what the issue is and what to do. Is there a change in the key 
naming scheme? How would the new names look like? I can certainly create one 
directory per fqdn under /var/lib/bind/ and then one subdirectory 
ECDSAP384SHA384 but what would be the (two?) files in 41844 and 55203? Is there 
a way to convert?

Thank you very much for your efforts!

Michael Schefczyk

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and nsupdate

Reply via email to