In message <52528314.4010...@z74.net>, Maurice Janssen writes: > Hi, > > I've setup a few domains with DNSSEC and ran into a problem. There's not > much to be found (apart from a similar problem on this list: > https://lists.isc.org/pipermail/bind-users/2013-January/089416.html) > therefore I hope somebody here can help me out. > > I have a hidden master with a couple of zones, two public authoritative > slave servers. > The master runs Bind 9.9.2, the slaves run NSD. All systems are running > OpenBSD 5.3-stable. I use "auto-dnssec maintain;" and "inline-signing > yes;". > > I largely followed the instructions on > https://kb.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9- > A-Walk-through.html > At first, everything seemed OK. The zones are signed and pass the test > at dnsviz.net. Reloading a zone after changing the unsigned zone file > works OK. > > The problem is that after some time Bind seems to loose track of the > keys for most of the zones. > At this moment, only one of the zones is OK: > > # rndc signing -list z74.nl > Done signing with key 16845/RSASHA256 > Done signing with key 37936/RSASHA256 > > All other zones report: > > # rndc signing -list z74.net > No signing records found
The "signing" records show the progress of the initial signing of the zone. The only reason they are not removed automatically is so that the operator can know when the zone is fully signed to start the timer for adding DS records to the parent zone. Named uses incremential signing which can take some time with really large zones. With small zones it takes seconds. These records are not required for named to continue to sign the zone. Named uses the RRSIG records combined with sig-validity-interval to workout what needs to be re-signed and when. It uses the DNSKEY records in the zone to look for the private keys. As for why they are disappearing, I suspect that we are just failing to preserve them at some point which is a minor bug that needs to be addressed. As long as the zone has completed signing there removal shouldn't cause problems. > I haven't figured out at which moment this happens (after restarting the > system or Bind, after a zone reload or some other event or at random). > There's no clue in the log file. > > The command "rndc loadkeys <zone>" doesn't help unfortunately. The only > work around I found so far is to stop bind, remove the signed zone files > and journal files and start Bind (which is rather annoying, because you > can easily end up with out-of-sync SOA records). > > > BTW: The reason for not running 9.9.4 is that there is only a 9.9.2 > package available for OpenBSD 5.3. However, on a test system with > OpenBSD -current and Bind 9.9.4 the problem persists. > > I hope somebody can give me a hint how to solve this. > > Thanks, > Maurice Janssen > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
