On 23.2.2016 14:18, Winfried de Heiden wrote: > Hi all, > > And so did I, following > http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured: > > ipa-dns-install --dnssec-master > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will setup DNS for the FreeIPA Server. > > This includes: > * Configure DNS (bind) > * Configure SoftHSM (required by DNSSEC) > * Configure ipa-dnskeysyncd (required by DNSSEC) > * Configure ipa-ods-exporter (required by DNSSEC key master) > * Configure OpenDNSSEC (required by DNSSEC key master) > * Generate DNSSEC master key (required by DNSSEC key master) > > NOTE: DNSSEC zone signing is not enabled by default > > Plan carefully, replacing DNSSEC key master is not recommended > > > To accept the default shown in brackets, press the Enter key. > > Do you want to setup this IPA server as DNSSEC key master? [no]: yes > DNSSEC signing is already enabled for following zone(s): example.com. > Installation cannot continue without the OpenDNSSEC database file from the > original DNSSEC master server. > Please use option --kasp-db to specify location of the kasp.db file copied > from > the original DNSSEC master server. > WARNING: Zones will become unavailable if you do not provide the original > kasp.db file. > > However, it seems like I don't have a key, that was the problem in the first > place....
Right. This is a special case so you need to provide --force option to override the check and continue with installation. When you do that, please go through the Troubleshooting page again, hopefully it will help. Petr^2 Spacek > Anyway, trying to continue: > > bash-4.3$ ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > Cannot open destination file, will not make backup. > No zones in DB or zonelist. > > Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, > only > having the not-used example zones. > > Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py > does > not show any zone private keys. > > Is still looks like these are not created. > > So, it still looks like DNSSEC signing is enabled, but the key is not there. > > Winny > > Op 22-02-16 om 16:31 schreef Petr Spacek: >> On 22.2.2016 14:02, Winfried de Heiden wrote: >>> Hi all, >>> >>> Following >>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >>> was >>> most usefull, It turned out the package "freeipa-server-dns"was missing. >>> Strange, I am running DNS, but...: >>> >>> * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2. >>> * Also: I'm running this on a Bananapi "server"..... >>> * There's no slave. >>> >>> >>> Anyway, ipa dnszone-show tells DNSsec was ebabled: >>> >>> >>> Allow in-line DNSSEC signing: TRUE >>> >>> but most likely due to the missing freeipa-server-dns it was missing >>> dependencies as well, for example the package opendnssec was missing. >>> >>> After installing freeipa-server-dns all packages seems to be in place, but >>> the >>> kasp.db file is empty: >>> >>> root@ipa ~]# ls -l /var/opendnssec/kasp.db >>> -rw-rw----. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db >>> >>> No wonder I still get messages like "could not get zone keys". >>> >>> Shouldn't a key be added? How? (without blowing the current DNS....) >> DNSSEC key master should do that automatically. >> >> Please continue with next steps as described on >> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured >> and we will see. >> >> Petr^2 Spacek >> >>> Winny >>> >>> >>> Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec >>>> On 22.2.2016 09:36, Winfried de Heiden wrote: >>>>> Hi all, >>>>> >>>>> I get lot's of messages in my log (journalctl -u named-pkcs11.service -p >>>>> err ) >>>>> like these: >>>>> >>>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): could not get zone keys for secure dynamic update >>>>> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): receive_secure_serial: not found >>>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): could not get zone keys for secure dynamic update >>>>> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): receive_secure_serial: not found >>>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): could not get zone keys for secure dynamic update >>>>> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN >>>>> (signed): receive_secure_serial: not found >>>>> >>>>> What's going wrong here, how to fix it? >>>> Hello, >>>> >>>> this might have multiple reasons. >>>> >>>> Please walk step-by-step through following page: >>>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >>>> >>>> Additional questions: >>>> * What version of FreeIPA and on what platform do you use? >>>> * Is the zone signed on DNSSEC key master or on replica? Does it work on >>>> one >>>> FreeIPA server but not on some other server? >>>> * Did you change something lately? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
