Are you running chrooted? Did you make the keys visible in the chroot area?
> On 25 Feb 2018, at 2:37 am, Prof. Dr. Michael Schefczyk > <mich...@schefczyk.net> wrote: > > Dear All, > > For a long time already, I am using a bind master DNS server based on debian > set up via webmin. It is currently Debian Stretch with bind 9.10. I am using > DNSSEC. > > The webmin setup leads to all keys being stored in /var/lib/bind. The naming > scheme is K[fqdn]+number+keyid.key or .private. There is one key-signing key > and one zone-signing key for each fqdn. Resigning works via a perl srcipt / > cronjob shipped by webmin. > > To be able to generate future letsencrypt wildcard certificates, I would like > to implant acme challenges as TXT records via DNS. Using nsupdate, the dnssec > signing becomes troublesome. The error message in update_debug.log is: > > Date/Time info: client IP#36210/key nsupdate: updating zone 'fqdn/IN': adding > an RR at '_acme-challenge.fqdn' TXT "..." > Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': found > no active private keys, unable to generate any signatures > Date/Time error: client IP#36210/key nsupdate: updating zone 'fqdn/IN': > RRSIG/NSEC/NSEC3 update failed: not found > > Looking further, bind.log shows: > Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private > key file fqdn/ECDSAP384SHA384/41844: file not found > Date/Time general: warning: dns_dnssec_findzonekeys2: error reading private > key file fqdn/ECDSAP384SHA384/55203: file not found > > The numbers 41844 and 55203 are the very key IDs for which keys do exist in > the traditional K... format /var/lib/bind. Of course, /var/lib/bind is also > set as the key directory. The keys are certainly readable without permissions > problems. The error does not go away even if you make them 777. > > Please inform me what the issue is and what to do. Is there a change in the > key naming scheme? How would the new names look like? I can certainly create > one directory per fqdn under /var/lib/bind/ and then one subdirectory > ECDSAP384SHA384 but what would be the (two?) files in 41844 and 55203? Is > there a way to convert? > > Thank you very much for your efforts! > > Michael Schefczyk > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
