Hi, I think you should use file "dynamic/db.<zone-name>.signed"; instead. On Red Hat /var/named is by default read only to named. It is enforced both by unix permissions and SELinux policy. I think you are being blocked by selinux.
Try sudo ausearch -i -ts recent -m avc -m user_avc -m selinux_err It may show you some errors that are named related. For dynamic updates, directory /var/named/dynamic is prepared. Signature maintaining is processed like dynamic updates to the zone, so write access to the zone file and its .jnl is required. You can enable write there, check https://bugzilla.redhat.com/show_bug.cgi?id=545128 Regards, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ----- Original Message ----- From: "Latitude" <arlendelcasti...@gmail.com> To: bind-users@lists.isc.org Sent: Wednesday, June 14, 2017 11:11:05 PM Subject: Re: Automatic RRSIG Refresh in BIND 9.8.2 Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2 handy but thank you for sending the link to your article and pointing me out to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone RRSIGs can refresh automatically. A zone that was signed with a sigvalidity period to be refreshed every 7 days is not being refreshed and I'm trying to troubleshoot. I've given the zone statement the *auto-dnssec maintain;* and *update-policy local;* statements as described, and I'm getting the error below repeatedly in my /var/log/message feed: *info: zone <zone name>/IN: reconfiguring zone keys <zone name>.jnl: create: permission denied named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone <zone name>/IN: zone_rekey:dns_journal_open -> unexpected error* The user *named* has the rwx permissions on the directory containing the source zone file and the DNSSEC-signed zone file <zone-name>.signed. This installation is BIND chrooted so the absolute path is */var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in this directory (*/var/named/chroot/var/named/*) and failing to due so? If so, I don't see why it's having an issue because user:group ownership of the /var/named/chroot/var/named directory is named:named and permissions are set to 750 on it. I believe this could be the clue to why my zone RRSIG isn't being refreshed. A lot of Google searching for this error hasn't yielded anything to help my situation either. Thank you in advance for any input. Below are my named.conf and zone statement file excerpts for reference: named.conf file DNSSEC options: // DNSSEC options dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM, Chapter 6 key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC keys //Zone statement zone "<zone-name>" { type master; update-policy local; file "db.<zone-name>.signed"; auto-dnssec maintain; allow-query { any; }; allow-transfer { xfers; }; }; -- View this message in context: http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html Sent from the Bind-Users forum mailing list archive at Nabble.com. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
