I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've been unable for the life of me to get it to sign zones. I've followed the steps at http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but as yet have been unable to get signing to work.
# ipa dnszone-show example.com Zone name: example.com. Active zone: TRUE Authoritative nameserver: host.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1462235022 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Allow in-line DNSSEC signing: TRUE ############################################################################ #### ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) # requesting: ALL # # DNSSEC, host.example.com, masters, ipa, etc, example.com dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com objectClass: ipaConfigObject objectClass: nsContainer objectClass: top ipaConfigString: dnssecKeyMaster ipaConfigString: startOrder 100 ipaConfigString: enabledService cn: DNSSEC # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ############################################################################ #### # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful ############################################################################ #### $ ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. No zones in DB or zonelist. Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no effect. The only log entries I see are: # journalctl -u ipa-dnskeysyncd May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO Signal 15 received: Shutting down! May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: session memcached servers not running May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO LDAP bind... May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO Commencing sync process Can anyone advise on next steps? I've been banging my head against a wall for a couple days now and would really appreciate some help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
