Hi list!

I'm trying to understand why my DNS zone refuses to get updated/signed.
After an "rndc reload" I get this in the named-pkcs11 logs:
<....>
failed to parse RR entry: resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com'
<....>
update_record (syncrepl) failed, resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: syntax error
<....>
zone example.com/IN (signed): could not get zone keys for secure dynamic update
zone example/IN (signed): receive_secure_serial: unchanged
<....>


Naturally, i checked the DNSSEC Troubleshoot guide [1]:
- Zone is set to have in-line signing
- It appears on the zone list command to ods-ksmutil
- The KSK and ZSK keys are both active and have not expired
- The [...]/localhsm.py script result looks ok according to the expected results.


The question now is. How can I fix this?
Also, if the only fix is to disable and re-enable DNSSEC, does that have any implications?


Thanks in advance!
Carlos Mogas da Silva


[1] http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to