Hi all,

And so did I, following http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:

ipa-dns-install --dnssec-master

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.

This includes:
  * Configure DNS (bind)
  * Configure SoftHSM (required by DNSSEC)
  * Configure ipa-dnskeysyncd (required by DNSSEC)
  * Configure ipa-ods-exporter (required by DNSSEC key master)
  * Configure OpenDNSSEC (required by DNSSEC key master)
  * Generate DNSSEC master key (required by DNSSEC key master)

NOTE: DNSSEC zone signing is not enabled by default

Plan carefully, replacing DNSSEC key master is not recommended


To accept the default shown in brackets, press the Enter key.

Do you want to setup this IPA server as DNSSEC key master? [no]: yes
DNSSEC signing is already enabled for following zone(s): example.com.
Installation cannot continue without the OpenDNSSEC database file from the original DNSSEC master server.
Please use option --kasp-db to specify location of the kasp.db file copied from the original DNSSEC master server.
WARNING: Zones will become unavailable if you do not provide the original kasp.db file.

However, it seems like I don't have a key, that was the problem in the first place....

Anyway, trying to continue:

bash-4.3$ ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
Cannot open destination file, will not make backup.
No zones in DB or zonelist.

Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, only having the not-used example zones.

Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does not show any zone private keys.

Is still looks like these are not created.

So, it still looks like DNSSEC signing is enabled, but the key is not there.

Winny

Op 22-02-16 om 16:31 schreef Petr Spacek:
On 22.2.2016 14:02, Winfried de Heiden wrote:
Hi all,

Following 
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was 
most usefull, It turned out the package "freeipa-server-dns"was missing. 
Strange, I am running DNS, but...:

  * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
  * Also: I'm running this on a Bananapi "server".....
  * There's no slave.


Anyway, ipa dnszone-show tells DNSsec was ebabled:


    Allow in-line DNSSEC signing: TRUE

but most likely due to the missing freeipa-server-dns it was missing 
dependencies as well, for example the package opendnssec was missing.

After installing freeipa-server-dns all packages seems to be in place, but the 
kasp.db file is empty:

root@ipa ~]# ls -l /var/opendnssec/kasp.db
-rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db

No wonder I still get messages like "could not get zone keys".

Shouldn't a key be added? How? (without blowing the current DNS....)
DNSSEC key master should do that automatically.

Please continue with next steps as described on
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
and we will see.

Petr^2 Spacek

Winny


Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec
On 22.2.2016 09:36, Winfried de Heiden wrote:
Hi all,

I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p err )
like these:

Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found

What's going wrong here, how to fix it?
Hello,

this might have multiple reasons.

Please walk step-by-step through following page:
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work

Additional questions:
* What version of FreeIPA and on what platform do you use?
* Is the zone signed on DNSSEC key master or on replica? Does it work on one
FreeIPA server but not on some other server?
* Did you change something lately?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to