Re: dns_dnssec_findzonekeys2: error reading WHATEVER.private: file not found

Wed, 23 Feb 2022 06:36:47 -0800 

On 23.02.22 15:32, Niall O'Reilly wrote:

Hello.
Using BIND 9.16.1-Ubuntu (Stable Release) id:d497c32 <id:d497c32> because that’s 
what’s most simply available on Ubuntu 20.04.3 LTS (Focal Fossa),
I’m seeing messages reporting that private key files can’t be found,
such as the one in the subject line. The files look to me to be
present as expected.



Just a quick shot: The server is (maybe) running in a chroot environment ...

Josef


I shall be grateful for any helpful advice.

The relevant part of my configuration is further down.

This appeared to work as expected on a development server running
9.18 from the ISC PPA. For production purposes, we would prefer
to rely, if possible, on what is available without adding a PPA.

Best regards,
Niall O’Reilly
|dnssec-policy onboarding { // This policy attempts to match or accommodate what zonefactory did // YMMV! dnskey-ttl 3600; keys { ksk lifetime 3650d algorithm rsasha256; zsk lifetime 3650d algorithm rsasha256; }; max-zone-ttl 3600; parent-ds-ttl 86400; parent-propagation-delay 48h; publish-safety 7d; retire-safety 7d; signatures-refresh 5d; signatures-validity 30d; signatures-validity-dnskey 30d; zone-propagation-delay 2h; }; zone "foo.ie" { type primary; update-policy local; file "/etc/bind/dynamic/foo.ie/db.foo.ie"; key-directory "/etc/bind/dynamic/foo.ie/"; masterfile-format text; dnssec-policy onboarding; # Policy under test // dnssec-policy default; # triggers retirement of existing keys // auto-dnssec maintain; # continues use of existing keys notify explicit; # Testing: don't propagate confusion! ;-) also-notify { downstream-in-house; }; allow-transfer { key in-house.ns.my-own.net.; }; }; | 





--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to