Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On Fri, Jul 26, 2013 at 03:37:46PM +0200, Stephane Bortzmeyer wrote a message of 19 lines which said: > Apparently, it worked without it but, when you use it, there is no > longer this undecipherable warning. Actually, it reappeared: 28-Jul-2013 23:19:29.824 zone example/IN (signed): Key example/RSASHA256/1159 missing or inactive and has no replacement: retaining signatures. So, as soon as you have only one key, you have the problem :-( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On Fri, Jul 26, 2013 at 08:52:04AM +0200, Stephane Bortzmeyer wrote a message of 24 lines which said: > Yes. I tested with two keys, a KSK and a ZSK and the warning > disappears. Another solution, even if using only one key, is to add: update-policy local; # Necessary, says the ARM (otherwise, you cannot freeze/thaw) in the zone configuration. Apparently, it worked without it but, when you use it, there is no longer this undecipherable warning. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain; " and key "missing or inactive and has no replacement"
On 26 Jul 2013, at 07:52, Stephane Bortzmeyer wrote: > On Thu, Jul 25, 2013 at 12:05:35AM +0100, > Tony Finch wrote > a message of 21 lines which said: > >> Does the zone have only one key which is a KSK? > > Yes. I tested with two keys, a KSK and a ZSK and the warning > disappears. Do you mean it is a spurious warning when there is only > one key (a CSK, as in co.uk)? Looks like it, but I only took a brief look at the code to find out where the warning came from. I don't know what the other implications might be, if any... I think the option you want for a CSK zone is update-check-ksk, but I have not tried it myself. Tony. -- f.anthony.n.finchhttp://dotat.at/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On Fri, Jul 26, 2013 at 08:54:26AM +0200, Stephane Bortzmeyer wrote a message of 23 lines which said: > I just tried, and same warning: But only at startup and not afterwards so it is an improvment. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On Wed, Jul 24, 2013 at 09:58:08AM -0700, David Newman wrote a message of 89 lines which said: > Not sure if this is the problem, but have you tried with > "managed-keys-directory" in options instead of "key-directory"? I just tried, and same warning: 26-Jul-2013 08:53:43.637 running 26-Jul-2013 08:53:43.637 zone example/IN (signed): loaded serial 2013071800 26-Jul-2013 08:53:43.637 zone example/IN (signed): receive_secure_serial: unchanged 26-Jul-2013 08:53:43.637 zone example/IN (signed): sending notifies (serial 2013071800) 26-Jul-2013 08:53:43.637 zone example/IN (signed): reconfiguring zone keys 26-Jul-2013 08:53:43.721 zone example/IN (signed): next key event: 26-Jul-2013 09:03:43.637 26-Jul-2013 08:53:43.805 zone example/IN (signed): Key example/RSASHA256/1159 missing or inactive and has no replacement: retaining signatures. 26-Jul-2013 08:53:48.638 zone example/IN (signed): sending notifies (serial 2013071802) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On Thu, Jul 25, 2013 at 12:05:35AM +0100, Tony Finch wrote a message of 21 lines which said: > Obvious question: does BIND have permission to read the private key? Yes, it runs (it is an experimental setup) as the same user which owns the private key file. > I guess it does since it managed to re-sign. And to sign, the first time (the zone was unsigned). Indeed. > Does the zone have only one key which is a KSK? Yes. I tested with two keys, a KSK and a ZSK and the warning disappears. Do you mean it is a spurious warning when there is only one key (a CSK, as in co.uk)? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
Stephane Bortzmeyer wrote: > > 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key > example/RSASHA256/46747 missing or inactive and has no replacement: retaining > signatures. > > Which I do not understand. They key is there: > > % ls -lt /tmp/bind/Kexample.+008+46747* > -rw-r--r-- 1 bortzmeyer bortzmeyer 597 Jul 23 12:02 > /tmp/bind/Kexample.+008+46747.key > -rw--- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 > /tmp/bind/Kexample.+008+46747.private Obvious question: does BIND have permission to read the private key? I guess it does since it managed to re-sign. Does the zone have only one key which is a KSK? Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "auto-dnssec maintain;" and key "missing or inactive and has no replacement"
On 7/24/13 2:29 AM, Stephane Bortzmeyer wrote: > I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My > configuration is: > > options { > directory "/tmp/bind"; > key-directory "/tmp/bind"; Not sure if this is the problem, but have you tried with "managed-keys-directory" in options instead of "key-directory"? You would still use "key-directory" in each zone statement. Per the Bind 9 docs, there's a small difference between the two: http://dotat.at/tmp/arm98/Bv9ARM.ch06.html key-directory When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as bind.keys, rndc.key or session.key.) managed-keys-directory The directory used to hold the files used to track managed keys. By default it is the working directory. It there are no views then the file managed-keys.bind otherwise a SHA256 hash of the view name is used with .mkeys extension added. dn > }; > > > zone "example" { > type master; > file "example"; > inline-signing yes; > auto-dnssec maintain; > }; > > Apparently, everything works. The key I created and put in /tmp/bind > is used, the zone is signed, everyone is happy. > > But I get messages: > > 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key > example/RSASHA256/46747 missing or inactive and has no replacement: retaining > signatures. > > Which I do not understand. They key is there: > > % ls -lt /tmp/bind/Kexample.+008+46747* > -rw-r--r-- 1 bortzmeyer bortzmeyer 597 Jul 23 12:02 > /tmp/bind/Kexample.+008+46747.key > -rw--- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 > /tmp/bind/Kexample.+008+46747.private > > And is certainly active: > > % cat /tmp/bind/Kexample.+008+46747.key > ; This is a key-signing key, keyid 46747, for example. > ; Created: 2013072315 (Tue Jul 23 12:00:05 2013) > ; Publish: 2013072315 (Tue Jul 23 12:00:05 2013) > ; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013) > ... > > And, despite the message "retaining signatures", signatures *are* > regenerated periodically, even after the warning: > > example. 600 IN RRSIG DNSKEY 8 1 600 20130725045802 ( > 20130724043925 46747 example. > rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte > ... > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"auto-dnssec maintain;" and key "missing or inactive and has no replacement"
I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My configuration is: options { directory "/tmp/bind"; key-directory "/tmp/bind"; }; zone "example" { type master; file "example"; inline-signing yes; auto-dnssec maintain; }; Apparently, everything works. The key I created and put in /tmp/bind is used, the zone is signed, everyone is happy. But I get messages: 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures. Which I do not understand. They key is there: % ls -lt /tmp/bind/Kexample.+008+46747* -rw-r--r-- 1 bortzmeyer bortzmeyer 597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key -rw--- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private And is certainly active: % cat /tmp/bind/Kexample.+008+46747.key ; This is a key-signing key, keyid 46747, for example. ; Created: 2013072315 (Tue Jul 23 12:00:05 2013) ; Publish: 2013072315 (Tue Jul 23 12:00:05 2013) ; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013) ... And, despite the message "retaining signatures", signatures *are* regenerated periodically, even after the warning: example.600 IN RRSIG DNSKEY 8 1 600 20130725045802 ( 20130724043925 46747 example. rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte ... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users