Re: auto-dnssec maintain stoped working again...
In message 20111002161255.GG11782@michelle1, Michelle Konzack writes: Hello Hauke Lampe, Am 2011-10-01 02:02:56, hacktest Du folgendes herunter: Do you mean expired signatures or no signatures at all? I have expired signatures... In the latter case, have you checked that the zone's keys are readable by named and still active? Ehm yes root@dns1 /etc/bind # ls -Al /etc/bind/master/net/tamay-dogan/*tamay-dogan* -rw-r--r-- 1 bind adm 502 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KS= K_Kintranet1.tamay-dogan.net.+005+12154.key -rw--- 1 bind adm 1.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KS= K_Kintranet1.tamay-dogan.net.+005+12154.private -rw-r--r-- 1 bind adm 502 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KS= K_Kintranet2.tamay-dogan.net.+005+45271.key -rw--- 1 bind adm 1.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KS= K_Kintranet2.tamay-dogan.net.+005+45271.private -rw-rw-r-- 1 bind adm 2.2K Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan -rw-rw-r-- 1 bind adm 249 Jun 17 22:33 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.conf -rw-r--r-- 1 bind adm 256 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.conf.signed -rw-rw-r-- 1 bind adm 1.1K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet1 -rw-rw-r-- 1 bind adm 238 Oct 2 17:59 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet1.conf -rw-r--r-- 1 bind adm 245 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet1.conf.signed -rw-r--r-- 1 bind adm 13K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet1.signed -rw-rw-r-- 1 bind adm 798 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet2 -rw-rw-r-- 1 bind adm 238 Oct 2 17:59 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet2.conf -rw-r--r-- 1 bind adm 245 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet2.conf.signed -rw-r--r-- 1 bind adm 8.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.intranet2.signed -rw-r--r-- 1 bind adm 7.1K Jul 26 04:22 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.signed -rw-r--r-- 1 bind adm 15K Jul 26 04:10 /etc/bind/master/net/tamay-dogan/ne= t.tamay-dogan.signed.jnl -rw-r--r-- 1 bind adm 459 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZS= K_Kintranet1.tamay-dogan.net.+005+28905.key -rw--- 1 bind adm 1010 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZS= K_Kintranet1.tamay-dogan.net.+005+28905.private -rw-r--r-- 1 bind adm 459 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZS= K_Kintranet2.tamay-dogan.net.+005+36762.key -rw--- 1 bind adm 1010 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZS= K_Kintranet2.tamay-dogan.net.+005+36762.private -rw-r--r-- 1 bind adm 439 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ZS= K_Ktamay-dogan.net.+005+30945.key -rw--- 1 bind adm 1010 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ZS= K_Ktamay-dogan.net.+005+30945.private If I am right, this looks right. No. It looks completely wrong. Someone/something has re-named the K* files. As the K* files have been renamed named can't find them. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain stoped working again...
Hello Mark Andrews, Am 2011-10-03 20:16:33, hacktest Du folgendes herunter: No. It looks completely wrong. Someone/something has re-named the K* files. As the K* files have been renamed named can't find them. No, they are found correctly. Here an extract (non relevant data striped): [ command 'scp dns1.tamay-dogan.net:/etc/bind/master/net/tamay-dogan/net.tamay-dogan /dev/stdout' ]-- @ 3600IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. ( 1317572159 14400 3600 604800 86400 ) IN NS dns1.tamay-dogan.net. IN NS dns2.tamay-dogan.net. IN NS dns3.tamay-dogan.net. IN MX 10 mail.tamay-dogan.net. IN MX 20 vserver04.tamay-dogan.net. tamay-dogan.net.IN TXT v=spf1 a mx ~all mail.tamay-dogan.net. IN A78.47.247.21 dns1.tamay-dogan.net. IN A78.47.104.44 dns2.tamay-dogan.net. IN A217.147.94.23 dns3.tamay-dogan.net. IN A78.47.247.21 striped webmail.tamay-dogan.net.IN CNAMEmail.tamay-dogan.net. $include /etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+56865.key $include /etc/bind/master/net/tamay-dogan/KSK_Ktamay-dogan.net.+005+37663.key [ command 'scp dns1.tamay-dogan.net:/etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed /dev/stdout' ]-- ; File written on Sun Oct 2 18:16:03 2011 ; dnssec_signzone version 9.7.3 tamay-dogan.net.3600IN SOA dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. ( 1317572159 ; serial 14400 ; refresh (4 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 3600RRSIG SOA 5 2 3600 2001151603 ( 20111002151603 56865 tamay-dogan.net. qxXVBhJU0DWLyKpCwIMlAU+El+UAWMDkK8bH 3HiY/2x8MYvJ2jBp/nb0IH5Z+/oLx+m6epR7 M1O4WJUc0CxCn56hRA1IcZGJ9SRkj5/9smvd yNDtnsUaEWQUUF/Q+J3nGL+sNhnTdiQqELAX Esc4mw+gfL/g31hbzJ0N7yU9b9Y= ) 3600NS dns1.tamay-dogan.net. 3600NS dns2.tamay-dogan.net. 3600NS dns3.tamay-dogan.net. 3600RRSIG NS 5 2 3600 2001151603 ( 20111002151603 56865 tamay-dogan.net. CWpYvXSTQnGdksDH2mVqaTyPfrIfbp2PKx1b +RAQFF3Q2FJlrjjiZwb/TxOqOzY03spGISBU 99055hyEEyLbnryOdvGMqEAED2vB+i21n51h nxtZojsQYGPOsNfiYtS+bTtVDS2kxQUNJFs3 WwaB4MHD44wkx1j9puYrTp6STMQ= ) 3600MX 10 mail.tamay-dogan.net. 3600MX 20 vserver04.tamay-dogan.net. 3600RRSIG MX 5 2 3600 2001151603 ( 20111002151603 56865 tamay-dogan.net. dk79clA+U5osuw2bDZMhtA4dS8NNAEibYWl8 7MVisx1xu+4A3Z6liKuU3uzOs/v5iaRE3Mdy gwTKiPBAuYKV1cxtaHy4vDwRneMhGQRZHWdB wYHVkLFjG7brlFXxQM4N+kUCvehHA8BnjnYb mnb+KVm5sMu458fhUo1qZyA3VZs= ) 3600TXT v=spf1 a mx ~all 3600RRSIG TXT 5 2 3600 2001151603 ( 20111002151603 56865 tamay-dogan.net. ZxSqPLqZzhZmQH2Q29cjvMkMIBl6MRXWHsjj 56J9FmjkegFUcr7R+QkODjQkhdRcbbUH0eTk Gh0Fs206xdokab783yF0UCtkEn+OMWtcuSKa BnfbBY0I1BjXD8eBdl839iK+OJVDObcPvH+M 3eYTGKbZ4qAHXnyzySdHLcRLR6s= ) 86400 NSECadmin.tamay-dogan.net. NS SOA MX TXT RRSIG NSEC DNSKEY 86400 RRSIG NSEC 5 2 86400 2001151603 ( 20111002151603 56865 tamay-dogan.net. bAMAXp2mj81LGqqZHqRD4llwnJc3ZA7cOrYM
Re: auto-dnssec maintain stoped working again...
On 10/3/2011 6:25 AM, Michelle Konzack wrote: Hello Mark Andrews, Am 2011-10-03 20:16:33, hacktest Du folgendes herunter: No. It looks completely wrong. Someone/something has re-named the K* files. As the K* files have been renamed named can't find them. No, they are found correctly. For the first signing, yes. For the other signings, no. Once the zones are signed, the $INCLUDE is not relevant. The files must remain in the format Kzone.+alg+id.key/private or the BIND executable (the thing dealing with auto-dnssec maintain) can't find them. AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain stoped working again...
In message 20111003132508.GL11782@michelle1, Michelle Konzack writes:
Hello Mark Andrews,
Am 2011-10-03 20:16:33, hacktest Du folgendes herunter:
No. It looks completely wrong. Someone/something has re-named the K* fil=
es.
As the K* files have been renamed named can't find them.
No, they are found correctly.
Named is looking for Kdomain+alg+keyid.{private,key}. You
have changed the names of these files and as a result named cannot
find them.
Change the file names back to what they were originally. With
auto-dnssec named will add the contents of the K*.key files to the
zone automatically based on the times set on the keys so you do not
need to $INCLUDE them.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain stoped working again...
Hello Hauke Lampe, Am 2011-10-01 02:02:56, hacktest Du folgendes herunter: Do you mean expired signatures or no signatures at all? I have expired signatures... In the latter case, have you checked that the zone's keys are readable by named and still active? Ehm yes root@dns1 /etc/bind # ls -Al /etc/bind/master/net/tamay-dogan/*tamay-dogan* -rw-r--r-- 1 bind adm 502 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key -rw--- 1 bind adm 1.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.private -rw-r--r-- 1 bind adm 502 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key -rw--- 1 bind adm 1.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.private -rw-rw-r-- 1 bind adm 2.2K Jul 3 17:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan -rw-rw-r-- 1 bind adm 249 Jun 17 22:33 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf -rw-r--r-- 1 bind adm 256 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf.signed -rw-rw-r-- 1 bind adm 1.1K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1 -rw-rw-r-- 1 bind adm 238 Oct 2 17:59 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf -rw-r--r-- 1 bind adm 245 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf.signed -rw-r--r-- 1 bind adm 13K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.signed -rw-rw-r-- 1 bind adm 798 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2 -rw-rw-r-- 1 bind adm 238 Oct 2 17:59 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf -rw-r--r-- 1 bind adm 245 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf.signed -rw-r--r-- 1 bind adm 8.2K Oct 2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.signed -rw-r--r-- 1 bind adm 7.1K Jul 26 04:22 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed -rw-r--r-- 1 bind adm 15K Jul 26 04:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed.jnl -rw-r--r-- 1 bind adm 459 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.key -rw--- 1 bind adm 1010 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.private -rw-r--r-- 1 bind adm 459 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.key -rw--- 1 bind adm 1010 Oct 2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.private -rw-r--r-- 1 bind adm 439 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.key -rw--- 1 bind adm 1010 Jul 3 17:10 /etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.private If I am right, this looks right. Try dnssec-settime -p all /path/to/keys/Kexample.com.+005+12345.key and look for Activate: and Inactive: root@dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Ktamay-dogan.net.+005+12268.key Created: Sun Jul 3 17:10:49 2011 Publish: Sun Jul 3 17:10:49 2011 Activate: Sun Jul 3 17:10:49 2011 Revoke: UNSET Inactive: UNSET Delete: UNSET seems not very good... root@dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key Created: Sun Oct 2 18:01:29 2011 Publish: Sun Oct 2 18:01:29 2011 Activate: Sun Oct 2 18:01:29 2011 Revoke: UNSET Inactive: UNSET Delete: UNSET root@dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key Created: Sun Oct 2 18:01:34 2011 Publish: Sun Oct 2 18:01:34 2011 Activate: Sun Oct 2 18:01:34 2011 Revoke: UNSET Inactive: UNSET Delete: UNSET I have added this two today... There have been a few bugfixes to automatic signing between 9.7.3 and 9.8. Maybe you hit one of those bugs. Hmmm, i will ask the Debian Maintainers... Hauke. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet Owner Michelle Konzack Tel: +49-176-86004575 office Gewerbe Straße 3Tel: +49-177-9351947 mobil 77694 Kehl/Germany Tel: +33-6-61925193 mobil (France) http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list
auto-dnssec maintain stoped working again...
Good evening*, I run my three NS with DNSSEC and now I have encountered, that it has stoped maintaining the Zone since september and has not changed to october. It was working for 4 month only. I have no error messages in my logs. Any hints, why this happen from time to time? I use bind 9.7.3 from the Debian GNU/Linux Distribution 6.0.2 (Squeeze). Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet Owner Michelle Konzack Tel office: +49-176-86004575 Gewerbe Strasse 3 Tel mobil: +49-177-9351947 77694 Kehl/Germany Tel mobil: +33-6-61925193 (France) http://www.itsystems.tamay-dogan.net/ http://www.debian.tamay-dogan.net/ Jabber linux4miche...@jabber.ccc.de Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain stoped working again...
On 01.10.2011 00:09, Michelle Konzack wrote: I run my three NS with DNSSEC and now I have encountered, that it has stoped maintaining the Zone since september and has not changed to october. Do you mean expired signatures or no signatures at all? In the latter case, have you checked that the zone's keys are readable by named and still active? Try dnssec-settime -p all /path/to/keys/Kexample.com.+005+12345.key and look for Activate: and Inactive: There have been a few bugfixes to automatic signing between 9.7.3 and 9.8. Maybe you hit one of those bugs. Hauke. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
