A quick follow-up for posterity, this was resolved by manually editing
the bind 9.18 zone files and removing all DNSSEC records.
On 2024-10-22 9:57 p.m., Paul Galbraith wrote:
I am getting this error with bind 9.20.2, when trying to delete an
AAAA record with nsupdate on the same host. Using rndc on the host to
sign the zone seems to work fine, so I'm quite confused. Is there any
way to get more detail about these "zone keys" that named "could not
get"?
Oct 23 01:18:45 named[18113]: debug level is now 10
Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': deleting rrset at
'angmar.galbraiths.ca' AAAA
Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': could not get zone keys
for secure dynamic update
Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': RRSIG/NSEC/NSEC3 update
failed: not found
Oct 23 01:27:06 named[18113]: received control channel command 'sign
galbraiths.ca'
Oct 23 01:27:06 named[18113]: zone galbraiths.ca/IN (signed):
reconfiguring zone keys
Oct 23 01:27:06 named[18113]: zone galbraiths.ca/IN (signed): next key
event: 23-Oct-2024 02:27:06.724
This is happening on a recently upgraded system (previous bind was
9.18.x I believe) which was previously working fine with nsupdate.
I'm wondering if this is somehow related to named being chrooted to
/var/named, but rndc sign zone works fine so quite doubtful about that
still, and I expect I would get a different error if named could not
find the local-ddns key.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
