Hi list!

I'm trying to understand why my DNS zone refuses to get updated/signed.
After an "rndc reload" I get this in the named-pkcs11 logs:
failed to parse RR entry: resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com'
update_record (syncrepl) failed, resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: syntax error
zone example.com/IN (signed): could not get zone keys for secure dynamic update
zone example/IN (signed): receive_secure_serial: unchanged

Naturally, i checked the DNSSEC Troubleshoot guide [1]:
- Zone is set to have in-line signing
- It appears on the zone list command to ods-ksmutil
- The KSK and ZSK keys are both active and have not expired
- The [...]/localhsm.py script result looks ok according to the expected results.

The question now is. How can I fix this?
Also, if the only fix is to disable and re-enable DNSSEC, does that have any implications?

Thanks in advance!
Carlos Mogas da Silva

[1] http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to