Running BIND 9.9.1, 9.9.0 or 9.7.6 on AIX 5.2, we are experiencing intermittent
failures signing zones, both with named and with dnssec-signzone.
We first noticed the problem when BIND 9.9.1's inline signing resulted in zones
with missing RRSIGs.
When we turned off "auto-dnssec maintain" & "inline signing yes" for those
zones and attempted to sign them with dnssec-signzone, most of the small zones
were signed successfully, but the large zones failed with "Missing RSASHA1
signature" verification messages (using dnssec-signzone's -a option).
Adding "-v 2" to the command seemed to suggest that the "missing" signatures
actually were being generated and verified, though dnssec-signzone still failed.
Immediately attempting again to sign the zone with the same dnssec-signzone
command results in a different error message:
"dnssec-signzone: fatal: No self-signed KSK DNSKEY found. Supply an
active key with the KSK flag set, or use '-P'."
Oddly, this error message is preceded by dnssec-signzone writing to the
terminal that it has successfully fetched the KSK along with an active and a
standby ZSK (using dnssec-signzone's -S option).
We have ruled out memory and disk space limitations. We suspected a lack of
entropy, since the errors changed each time we ran the dnssec-signzone command,
so we tried using both dnssec-signzone's -p option and "-r /dev/urandom", to no
avail.
The problem seems to have arisen spontaneously, after years of successful
DNSSEC and months of successful BIND 9.9. We can identify no changes to the
system except the upgrade (about four days before the first occurrence of the
problem) to 9.9.1 -- but reverting to 9.9.0 and even 9.7.6 does not correct the
problem.
Do you have any ideas about what the source of the problem might be or how to
go about troubleshooting further?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
