Re: named is not finding the keys for DNSSEC

Wed, 03 Aug 2016 11:00:05 -0700 

Hi,

you need to 'chown named' the keyfiles. The bind process is unable to read the 
files belonging to root.


Regards
    Volker


> Am 03.08.2016 um 18:33 schrieb Andreas Meyer <[email protected]>:
> 
> Hello!
> 
> Just subscribed to the list. I wanted to implement DNSSEC
> with bind but have not luck with this one.
> 
> When named starts it says it can't read the private keys.
> 
> dns_dnssec_keylistfromrdataset: error reading private key file 
> bitcorner.de/RSASHA1/16938: file not found
> dns_dnssec_keylistfromrdataset: error reading private key file 
> bitcorner.de/RSASHA1/20464: file not found
> 
> The keyfolder looks like this:
> 
> -rw-r--r-- 1 root  root   433  3. Aug 17:32 Kbitcorner.de.+005+16938.key
> -rw------- 1 root  root  1010  3. Aug 17:32 Kbitcorner.de.+005+16938.private
> -rw-r--r-- 1 root  root   607  3. Aug 17:33 Kbitcorner.de.+005+20464.key
> -rw------- 1 root  root  1774  3. Aug 17:33 Kbitcorner.de.+005+20464.private
> -rw-r--r-- 1 named named  728  3. Aug 17:39 managed-keys.bind
> -rw-r--r-- 1 named named  512  3. Aug 17:39 managed-keys.bind.jnl
> 
> # ps aux |grep named
> named     1458  0.0  1.1 186264 23896 ?        Ssl  17:38   0:00 
> /usr/sbin/named -u named
> 
> Signing of a domain fails:
> 
> # dnssec-signzone -K /var/lib/named/keys -e +3024000 -N INCREMENT 
> master/bitcorner.de.zone
> dnssec-signzone: fatal: No signing keys specified or found.
> 
> I'm confused. Why does named look for a key bitcorner.de/RSASHA1/16938 
> althoug it is
> named Kbitcorner.de.+005+16938.private ?
> 
> I took named out of the chroot but that changes nothing.
> 
> Glad about every hint!
> 
> Andreas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to