Hi,
This is a log level bug. This log happens when BIND want to check the
parental-agents if the DS has been published. But if you don't have
parental-agents set up, the list of keys to check will be empty. Hence
the "not found" result.
Thanks for reporting, this will be fixed in the next release, it should
be a debug log level.
Best regards,
Matthijs
On 14-10-2022 15:26, PGNet Dev wrote:
i run,
named -v
BIND 9.18.7 (Stable Release) <id:>
i've setup dnssec-policy operation for a number of domain.
keys are all generated, KSK-derived DS Records are pushed to
registrar->root, and all DNSSEC-analyzer tools online report all's good.
i can see no functional problems. so far. that i'm aware of.
but, in bind logs, locally, I see the following
"zone_rekey:dns_zone_getdnsseckeys failed: not found" error,
2022-10-14T08:47:23.569556-04:00 ns named[14285]: 14-Oct-2022
08:47:23.568 dnssec: info: zone example.com/IN/external: generated salt:
82CSA124A1645B0D
2022-10-14T08:47:23.711869-04:00 ns named[14285]: 14-Oct-2022
08:47:23.710 dnssec: info: zone example.com/IN/external: reconfiguring
zone keys
?? 2022-10-14T08:47:23.712653-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: error: zone example.com/IN/external:
zone_rekey:dns_zone_getdnsseckeys failed: not found
2022-10-14T08:47:23.712663-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: keyring:
example.com/ECDSAP256SHA256/62137 (policy pgnd)
2022-10-14T08:47:23.712666-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: keyring:
example.com/ECDSAP256SHA256/17296 (policy pgnd)
2022-10-14T08:47:23.712671-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
example.com/ECDSAP256SHA256/17296 (KSK) matches policy pgnd
2022-10-14T08:47:23.712674-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
example.com/ECDSAP256SHA256/17296 (KSK) is active in policy pgnd
2022-10-14T08:47:23.712677-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
example.com/ECDSAP256SHA256/62137 (ZSK) matches policy pgnd
2022-10-14T08:47:23.712680-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: DNSKEY
example.com/ECDSAP256SHA256/62137 (ZSK) is active in policy pgnd
2022-10-14T08:47:23.712683-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: new successor needed for DNSKEY
example.com/ECDSAP256SHA256/62137 (ZSK) (policy pgnd) in 2445436 seconds
2022-10-14T08:47:23.712686-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
example.com/ECDSAP256SHA256/62137 type DNSKEY in state OMNIPRESENT
2022-10-14T08:47:23.712688-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: ZSK
example.com/ECDSAP256SHA256/62137 type DNSKEY in stable state OMNIPRESENT
2022-10-14T08:47:23.712690-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine ZSK
example.com/ECDSAP256SHA256/62137 type ZRRSIG in state OMNIPRESENT
2022-10-14T08:47:23.712693-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: ZSK
example.com/ECDSAP256SHA256/62137 type ZRRSIG in stable state OMNIPRESENT
2022-10-14T08:47:23.712695-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type DNSKEY in state OMNIPRESENT
2022-10-14T08:47:23.712697-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: KSK
example.com/ECDSAP256SHA256/17296 type DNSKEY in stable state OMNIPRESENT
2022-10-14T08:47:23.712699-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type KRRSIG in state OMNIPRESENT
2022-10-14T08:47:23.712702-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: KSK
example.com/ECDSAP256SHA256/17296 type KRRSIG in stable state OMNIPRESENT
2022-10-14T08:47:23.712704-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: examine KSK
example.com/ECDSAP256SHA256/17296 type DS in state RUMOURED
2022-10-14T08:47:23.712706-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: can we transition KSK
example.com/ECDSAP256SHA256/17296 type DS state RUMOURED to state
OMNIPRESENT?
2022-10-14T08:47:23.712712-04:00 ns named[14285]: 14-Oct-2022
08:47:23.711 dnssec: debug 1: keymgr: dnssec evaluation of KSK
example.com/ECDSAP256SHA256/17296 record DS: rule1=(~true or true)
rule2=(~true or true) rule3=(~true or true)
for each/every dnssec-enabled domain
where, in my current named.conf,
dnssec-policy "pgnd" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
};
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
signatures-refresh P5D;
signatures-validity P2W;
signatures-validity-dnskey P2W;
max-zone-ttl 86400;
zone-propagation-delay 300;
parent-ds-ttl 86400;
parent-propagation-delay 1h;
nsec3param iterations 5 optout no salt-length 8;
};
zone "example.com" IN {
type master; file "/namedb/master/example.com.zone";
dnssec-policy "pgnd";
key-directory "/keys/dnssec/example.com";
update-policy { grant pgnd-external-rndc-key zonesub txt; };
};
what's the source of the "zone_rekey:dns_zone_getdnsseckeys"?
specifically, what's not being found?
have i missed/miconfig'd config, omitted a file/dir that current config
expects, or is this a bug?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
