On 22.2.2016 14:02, Winfried de Heiden wrote: > Hi all, > > Following > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was > most usefull, It turned out the package "freeipa-server-dns"was missing. > Strange, I am running DNS, but...: > > * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. > * Also: I'm running this on a Bananapi "server"..... > * There's no slave. > > > Anyway, ipa dnszone-show tells DNSsec was ebabled: > > > Allow in-line DNSSEC signing: TRUE > > but most likely due to the missing freeipa-server-dns it was missing > dependencies as well, for example the package opendnssec was missing. > > After installing freeipa-server-dns all packages seems to be in place, but > the > kasp.db file is empty: > > root@ipa ~]# ls -l /var/opendnssec/kasp.db > -rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db > > No wonder I still get messages like "could not get zone keys". > > Shouldn't a key be added? How? (without blowing the current DNS....)
DNSSEC key master should do that automatically. Please continue with next steps as described on http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured and we will see. Petr^2 Spacek > > Winny > > > Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec >> On 22.2.2016 09:36, Winfried de Heiden wrote: >>> Hi all, >>> >>> I get lot's of messages in my log (journalctl -u named-pkcs11.service -p >>> err ) >>> like these: >>> >>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): could not get zone keys for secure dynamic update >>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>> (signed): receive_secure_serial: not found >>> >>> What's going wrong here, how to fix it? >> Hello, >> >> this might have multiple reasons. >> >> Please walk step-by-step through following page: >> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >> >> Additional questions: >> * What version of FreeIPA and on what platform do you use? >> * Is the zone signed on DNSSEC key master or on replica? Does it work on one >> FreeIPA server but not on some other server? >> * Did you change something lately? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
