> On 17 Oct 2022, at 12:13, PGNet Dev <pgnet....@gmail.com> wrote: > >> In addition to what Matthijs said, please make sure that all path components >> in /data/chroot/named/keys/dnssec/example.com/ <http://example.com/> need to >> have correct permissions, >> this is easy to get wrong. I've burnt on this too many times. >> Easiest way how to test is switching to the user that named runs under and >> try >> changing to the directory and checking if you can access the files. > > i've double-checked my perms; if that's the cause, i've missed it :_/ > > testing without dnssec-policy autosiging, just manually signing, > > for an active/healthy, dnssec-signed zone > > rndc dnssec -status example.com IN external > dnssec-policy: pgnd > current time: Sun Oct 16 20:44:05 2022 > > key: 10729 (ECDSAP256SHA256), ZSK > published: yes - since Sat Oct 15 15:52:05 2022 > zone signing: yes - since Sat Oct 15 15:52:05 2022 > > Next rollover scheduled on Sun Oct 30 13:47:05 2022 > - goal: omnipresent > - dnskey: omnipresent > - zone rrsig: rumoured > > key: 57122 (ECDSAP256SHA256), KSK > published: yes - since Sat Oct 15 15:52:05 2022 > key signing: yes - since Sat Oct 15 15:52:05 2022 > > No rollover scheduled > - goal: omnipresent > - dnskey: omnipresent > - ds: hidden > - key rrsig: omnipresent > > trying a manual rollover > > rndc dnssec -rollover -key 10729 example.com IN external > Error executing rollover command: error occurred writing key to > disk > > where, even with debug logging, all that i see on exec is > > 2022-10-16T20:56:49.979144-04:00 ns named[2036]: 16-Oct-2022 > 20:56:49.977 general: info: received control channel command 'dnssec > -rollover -key 10729 example.com IN external' > > is there a way to determine what data is being attempted to write to which > file/location on disk? > or, generally, any more detail about what "error occurred" ?
It will be attempting to write into the key-directory for the zone as defined by named.conf. It will be creating a new file and then renaming that to replace one of the exisiting files associated with that key, the .private or .state (I haven’t looked to see which) with updated content. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
