Because you removed the key from disk before it was removed from the zone.
Presumably named
was logging other error messages before you removed the key from disk or the
machine was off
for a period or you mismanaged the key roll and named keep the key alive.
Named’s re-signing strategy is different to when you are signing the whole zone
at once as
you are signing it incrementally. You should be allowing most of the
sig-validity interval
before you delete the DNSKEY after you inactive it. One should check that
there are no RRSIGs
still present in the zone before deleting the DNSKEY from the zone.
Inactivating it stops the
DNSKEY being used to generate new signatures but it needs to stay around until
all those RRSIGs
have expired from caches which only happens after new replacement signatures
have been generated.
If you still have the .private file around reinstate it. If not you will need
to import the
DNSKEY using dnssec-importkey and manage its removal properly.
[beetle:~/git/bind9] marka% dig dnskey glattweb.ch +rrcomm
;; BADCOOKIE, retrying.
; <<>> DiG 9.15.0-dev+hotspot+add-prefetch+marka <<>> dnskey glattweb.ch +rrcomm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64267
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7b44693b86938f2bda7d25725c86082c5b24bafb90421a0a (good)
;; QUESTION SECTION:
;glattweb.ch. IN DNSKEY
;; ANSWER SECTION:
glattweb.ch. 300 IN DNSKEY 256 3 13
Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh
VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg== ; ZSK; alg = ECDSAP256SHA256 ; key id = 12809
glattweb.ch. 300 IN DNSKEY 256 3 13
WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6
HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA== ; ZSK; alg = ECDSAP256SHA256 ; key id = 33518
;; Query time: 2454 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 11 18:03:08 AEDT 2019
;; MSG SIZE rcvd: 228
[beetle:~/git/bind9] marka%
> On 11 Mar 2019, at 6:00 pm, Philippe Maechler <pmaechler...@glattnet.ch>
> wrote:
>
> Hello List
>
> Today our bind server started with the following log contents:
> 11-Mar-2019 07:41:06.599 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.600 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.602 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.603 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.604 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.606 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.607 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.609 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.610 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.611 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.613 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.614 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.616 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.617 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.618 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.620 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.621 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.623 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.624 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.625 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.627 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.628 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.630 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.631 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.633 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.634 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
> 11-Mar-2019 07:41:06.635 general: warning: dns_dnssec_findzonekeys2: error
> reading
> /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
> not found
>
>
> This is a FreeBSD 11.2 with bind compiled from Ports
>
> # named -V
> BIND 9.11.5 (Extended Support Version) <id:3b0b204>
> running on FreeBSD amd64 11.2-RELEASE-p5 FreeBSD 11.2-RELEASE-p5 #0: Tue Nov
> 27 09:33:52 UTC 2018
> r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> built by make with '--localstatedir=/var' '--disable-linux-caps'
> '--disable-symtable' '--with-randomdev=/dev/random'
> '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit'
> '--with-dlopen=yes' '--with-gost=no' '--sysconfdir=/usr/local/etc/namedb'
> '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-filter-aaaa'
> '--disable-fixed-rrset' '--without-geoip' '--without-gssapi'
> '--with-libidn2=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local'
> '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11'
> '--with-python=/usr/local/bin/python2.7' '--disable-querytrace'
> '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
> '--with-openssl=/usr' '--enable-threads' '--with-tuning=default'
> '--prefix=/usr/local' '--mandir=/usr/local/man'
> '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2'
> 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe
> -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include
> -fno-strict-aliasing ' 'LDFLAGS= -fstack-protector ' 'LIBS=-L/usr/local/lib'
> 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0
> (tags/RELEASE_600/final 326565)
> compiled with OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018
> linked to OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018
> compiled with libxml2 version: 2.9.7
> linked to libxml2 version: 20907
> compiled with libjson-c version: 0.13.1
> linked to libjson-c version: 0.13.1
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
>
> The Zone in Questions has the following config:
> # rndc showzone glattweb.ch
> zone "glattweb.ch." {
> type master;
> file "/usr/local/etc/namedb/master/glattweb.ch.db";
> allow-transfer { "xfer"; };
> also-notify { 192.168.3.220; 192.168.3.221; 192.168.3.223; 192.168.3.224;
> };
> auto-dnssec maintain;
> dnssec-loadkeys-interval 60;
> inline-signing yes;
> key-directory "/usr/local/etc/namedb/keys/glattweb.ch";
> masterfile-format text;
> notify yes;
> serial-update-method date;
> };
>
> The key in question (33518) had the following dates:
> Filename: Kglattweb.ch.+013+33518.key
> Key ID: 33518
> Publish 27.12.2018 07:45:22
> Activate 27.12.2018 07:45:22
> Inactive 10.02.2019 09:07:15
> Delete 14.02.2019 09:07:15
> SYNC Publish 27.12.2018 07:45:22
> SYNC Delete 14.02.2019 09:07:15
>
> And was deleted by me at the 26 Feb 2019
>
> Questions:
> How I can stop named to stop log the error message above?
> Why do I get that many messages in a second? The CPU usage on this host is
> since then > 85%
> Why do I get the messages now, ~12 days after I deleted the key? (named was
> restarted several times in the time between)
> They key has a delete Date of 14.02.2019 and the TTL is 3600, when should I
> delete this key file? I had the impression that after DELETE-DATE + TTL it’s
> safe to delete the key
>
> I’m upgrading this bind instance to the latest 9.11 version now to see if the
> error disappears, if not I hope to get an answer or solution, else I’ll
> upgrade to 9.12.x
>
> Best regards
> Philippe
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
