Re: [knot-dns-users] Knot 2.5.2 fails to load DNSSEC keys

Tue, 27 Jun 2017 00:09:38 -0700 

Antti,

Glad it works again :)
Yes, those timestamps can be all equal (makes sense for created .. active). Some confusion could only arise if they were in wrong time order. 

Libor


Dne 27.6.2017 v 08:51 Antti Ristimäki napsal(a):

Hi Libor,

OK, I just did set the publish, ready and active timing parameters
manually on the keys and now it works again.

By the way, is it OK if all those three timestamps are the same or does
it cause some confusion to Knot?

Antti


On 27.06.2017 08:33, libor.pel...@nic.cz wrote:

Hi Antti,

what shows up to be wrong is:

public no, ready no, active yes

You shall be able to fix it by setting the keys timing via keymgr such
way that

publish, ready and active times would be in the past; retire and
remove times in the future.

If you still have any problems, please send us the output of keymgr
list command.

Unfortunately, I have no idea how this could happen. If you find out
how to reproduce the issue, I would be very glad.

Thanks much,

Libor


Dne 27.6.2017 v 06:25 Antti Ristimäki napsal(a):

Hi,

My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:

Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)

When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.

Antti
_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users


_______________________________________________
knot-dns-users mailing list
knot-dns-users@lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Reply via email to