On 3.5.2016 02:40, Gary T. Giesen wrote: > I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to > configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've > been unable for the life of me to get it to sign zones. I've followed the > steps at > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but > as yet have been unable to get signing to work. > > # ipa dnszone-show example.com > Zone name: example.com. > Active zone: TRUE > Authoritative nameserver: host.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 1462235022 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; > Allow in-line DNSSEC signing: TRUE > > ############################################################################ > #### > > ldapsearch -Y GSSAPI > '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' > SASL/GSSAPI authentication started > SASL username: ad...@example.com > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> (default) with scope subtree > # filter: > (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) > # requesting: ALL > # > > # DNSSEC, host.example.com, masters, ipa, etc, example.com > dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com > objectClass: ipaConfigObject > objectClass: nsContainer > objectClass: top > ipaConfigString: dnssecKeyMaster > ipaConfigString: startOrder 100 > ipaConfigString: enabledService > cn: DNSSEC > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ############################################################################ > #### > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-ods-exporter Service: STOPPED > ods-enforcerd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > ############################################################################ > #### > > $ ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > No zones in DB or zonelist.
Okay, this is a problem. It should list your zone example.com because it has DNSSEC signing enabled. Make sure you are working on host.example.com (the host listed by the ldapsearch above). I would check two things: 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it does not, re-run ipa-dns-install with --dnssec-master option to fix that. 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you are done with it. The log should be much longer after this change. I hope it will help to identify the root cause. What IPA version do you use? $ rpm -q freeipa-server Petr^2 Spacek > Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no > effect. The only log entries I see are: > > # journalctl -u ipa-dnskeysyncd > > May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO > Signal 15 received: Shutting down! > May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. > May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: > session memcached servers not running > May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > LDAP bind... > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 > May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > Commencing sync process > > > > Can anyone advise on next steps? I've been banging my head against a wall > for a couple days now and would really appreciate some help. > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project