Re: [Freeipa-users] could not get zone keys for secure dynamic update
Hi all, ipa-dns-install --dnssec-master --force did the trick, this is looking much better. I'l do some more tests later. For now, thanks a lot! Winny Op 23-02-16 om 14:52 schreef Petr Spacek: On 23.2.2016 14:18, Winfried de Heiden wrote: Hi all, And so did I, following http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured: ipa-dns-install --dnssec-master The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) * Configure SoftHSM (required by DNSSEC) * Configure ipa-dnskeysyncd (required by DNSSEC) * Configure ipa-ods-exporter (required by DNSSEC key master) * Configure OpenDNSSEC (required by DNSSEC key master) * Generate DNSSEC master key (required by DNSSEC key master) NOTE: DNSSEC zone signing is not enabled by default Plan carefully, replacing DNSSEC key master is not recommended To accept the default shown in brackets, press the Enter key. Do you want to setup this IPA server as DNSSEC key master? [no]: yes DNSSEC signing is already enabled for following zone(s): example.com. Installation cannot continue without the OpenDNSSEC database file from the original DNSSEC master server. Please use option --kasp-db to specify location of the kasp.db file copied from the original DNSSEC master server. WARNING: Zones will become unavailable if you do not provide the original kasp.db file. However, it seems like I don't have a key, that was the problem in the first place Right. This is a special case so you need to provide --force option to override the check and continue with installation. When you do that, please go through the Troubleshooting page again, hopefully it will help. Petr^2 Spacek Anyway, trying to continue: bash-4.3$ ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. Cannot open destination file, will not make backup. No zones in DB or zonelist. Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, only having the not-used example zones. Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does not show any zone private keys. Is still looks like these are not created. So, it still looks like DNSSEC signing is enabled, but the key is not there. Winny Op 22-02-16 om 16:31 schreef Petr Spacek: On 22.2.2016 14:02, Winfried de Heiden wrote: Hi all, Following http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was most usefull, It turned out the package "freeipa-server-dns"was missing. Strange, I am running DNS, but...: * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. * Also: I'm running this on a Bananapi "server". * There's no slave. Anyway, ipa dnszone-show tells DNSsec was ebabled: Allow in-line DNSSEC signing: TRUE but most likely due to the missing freeipa-server-dns it was missing dependencies as well, for example the package opendnssec was missing. After installing freeipa-server-dns all packages seems to be in place, but the kasp.db file is empty: root@ipa ~]# ls -l /var/opendnssec/kasp.db -rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db No wonder I still get messages like "could not get zone keys". Shouldn't a key be added? How? (without blowing the current DNS) DNSSEC key master should do that automatically. Please continue with next steps as described on http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured and we will see. Petr^2 Spacek Winny Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec On 22.2.2016 09:36, Winfried de Heiden wrote: Hi all, I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err ) like these: Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found What's going wrong here, how to fix it? Hello, this might have
Re: [Freeipa-users] could not get zone keys for secure dynamic update
On 23.2.2016 14:18, Winfried de Heiden wrote: > Hi all, > > And so did I, following > http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured: > > ipa-dns-install --dnssec-master > > The log file for this installation can be found in > /var/log/ipaserver-install.log > == > This program will setup DNS for the FreeIPA Server. > > This includes: >* Configure DNS (bind) >* Configure SoftHSM (required by DNSSEC) >* Configure ipa-dnskeysyncd (required by DNSSEC) >* Configure ipa-ods-exporter (required by DNSSEC key master) >* Configure OpenDNSSEC (required by DNSSEC key master) >* Generate DNSSEC master key (required by DNSSEC key master) > > NOTE: DNSSEC zone signing is not enabled by default > > Plan carefully, replacing DNSSEC key master is not recommended > > > To accept the default shown in brackets, press the Enter key. > > Do you want to setup this IPA server as DNSSEC key master? [no]: yes > DNSSEC signing is already enabled for following zone(s): example.com. > Installation cannot continue without the OpenDNSSEC database file from the > original DNSSEC master server. > Please use option --kasp-db to specify location of the kasp.db file copied > from > the original DNSSEC master server. > WARNING: Zones will become unavailable if you do not provide the original > kasp.db file. > > However, it seems like I don't have a key, that was the problem in the first > place Right. This is a special case so you need to provide --force option to override the check and continue with installation. When you do that, please go through the Troubleshooting page again, hopefully it will help. Petr^2 Spacek > Anyway, trying to continue: > > bash-4.3$ ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > Cannot open destination file, will not make backup. > No zones in DB or zonelist. > > Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, > only > having the not-used example zones. > > Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py > does > not show any zone private keys. > > Is still looks like these are not created. > > So, it still looks like DNSSEC signing is enabled, but the key is not there. > > Winny > > Op 22-02-16 om 16:31 schreef Petr Spacek: >> On 22.2.2016 14:02, Winfried de Heiden wrote: >>> Hi all, >>> >>> Following >>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >>> was >>> most usefull, It turned out the package "freeipa-server-dns"was missing. >>> Strange, I am running DNS, but...: >>> >>>* I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. >>>* Also: I'm running this on a Bananapi "server". >>>* There's no slave. >>> >>> >>> Anyway, ipa dnszone-show tells DNSsec was ebabled: >>> >>> >>> Allow in-line DNSSEC signing: TRUE >>> >>> but most likely due to the missing freeipa-server-dns it was missing >>> dependencies as well, for example the package opendnssec was missing. >>> >>> After installing freeipa-server-dns all packages seems to be in place, but >>> the >>> kasp.db file is empty: >>> >>> root@ipa ~]# ls -l /var/opendnssec/kasp.db >>> -rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db >>> >>> No wonder I still get messages like "could not get zone keys". >>> >>> Shouldn't a key be added? How? (without blowing the current DNS) >> DNSSEC key master should do that automatically. >> >> Please continue with next steps as described on >> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured >> and we will see. >> >> Petr^2 Spacek >> >>> Winny >>> >>> >>> Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec On 22.2.2016 09:36, Winfried de Heiden wrote: > Hi all, > > I get lot's of messages in my log (journalctl -u named-pkcs11.service -p > err ) > like these: > > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > > What's going wrong here, how to fix it? Hello, this might have multiple reasons. Please walk step-by-step through following page:
Re: [Freeipa-users] could not get zone keys for secure dynamic update
On 22.2.2016 14:02, Winfried de Heiden wrote: > Hi all, > > Following > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was > most usefull, It turned out the package "freeipa-server-dns"was missing. > Strange, I am running DNS, but...: > > * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. > * Also: I'm running this on a Bananapi "server". > * There's no slave. > > > Anyway, ipa dnszone-show tells DNSsec was ebabled: > > > Allow in-line DNSSEC signing: TRUE > > but most likely due to the missing freeipa-server-dns it was missing > dependencies as well, for example the package opendnssec was missing. > > After installing freeipa-server-dns all packages seems to be in place, but > the > kasp.db file is empty: > > root@ipa ~]# ls -l /var/opendnssec/kasp.db > -rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db > > No wonder I still get messages like "could not get zone keys". > > Shouldn't a key be added? How? (without blowing the current DNS) DNSSEC key master should do that automatically. Please continue with next steps as described on http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured and we will see. Petr^2 Spacek > > Winny > > > Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec >> On 22.2.2016 09:36, Winfried de Heiden wrote: >>> Hi all, >>> >>> I get lot's of messages in my log (journalctl -u named-pkcs11.service -p >>> err ) >>> like these: >>> >>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> >>> What's going wrong here, how to fix it? >> Hello, >> >> this might have multiple reasons. >> >> Please walk step-by-step through following page: >> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >> >> Additional questions: >> * What version of FreeIPA and on what platform do you use? >> * Is the zone signed on DNSSEC key master or on replica? Does it work on one >> FreeIPA server but not on some other server? >> * Did you change something lately? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] could not get zone keys for secure dynamic update
Hi all, Following http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was most usefull, It turned out the package "freeipa-server-dns"was missing. Strange, I am running DNS, but...: I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. Also: I'm running this on a Bananapi "server". There's no slave. Anyway, ipa dnszone-show tells DNSsec was ebabled: Allow in-line DNSSEC signing: TRUE but most likely due to the missing freeipa-server-dns it was missing dependencies as well, for example the package opendnssec was missing. After installing freeipa-server-dns all packages seems to be in place, but the kasp.db file is empty: root@ipa ~]# ls -l /var/opendnssec/kasp.db -rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db No wonder I still get messages like "could not get zone keys". Shouldn't a key be added? How? (without blowing the current DNS) Winny Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec On 22.2.2016 09:36, Winfried de Heiden wrote: Hi all, I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err ) like these: Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): could not get zone keys for secure dynamic update Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN (signed): receive_secure_serial: not found What's going wrong here, how to fix it? Hello, this might have multiple reasons. Please walk step-by-step through following page: http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work Additional questions: * What version of FreeIPA and on what platform do you use? * Is the zone signed on DNSSEC key master or on replica? Does it work on one FreeIPA server but not on some other server? * Did you change something lately? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] could not get zone keys for secure dynamic update
On 22.2.2016 09:36, Winfried de Heiden wrote: > Hi all, > > I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err > ) > like these: > > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > > What's going wrong here, how to fix it? Hello, this might have multiple reasons. Please walk step-by-step through following page: http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work Additional questions: * What version of FreeIPA and on what platform do you use? * Is the zone signed on DNSSEC key master or on replica? Does it work on one FreeIPA server but not on some other server? * Did you change something lately? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
