On 22.2.2016 09:36, Winfried de Heiden wrote: > Hi all, > > I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err > ) > like these: > > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): could not get zone keys for secure dynamic update > Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN > (signed): receive_secure_serial: not found > > What's going wrong here, how to fix it?
Hello, this might have multiple reasons. Please walk step-by-step through following page: http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work Additional questions: * What version of FreeIPA and on what platform do you use? * Is the zone signed on DNSSEC key master or on replica? Does it work on one FreeIPA server but not on some other server? * Did you change something lately? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
