DNSSEC notes – bind97 on CentOS

i have implemented dnssec for some of my domains with bind97 on CentOS. for some reasons the recent update caused the domain to be not loaded during service restart.

digging deeper into the logs, there were error messages as shown below:

Sep  8 12:32:21 mysrv named[28282]: dns_dnssec_findzonekeys2: error reading private key file my.domain.tld/RSASHA1/7783: file not found
Sep  8 12:32:21 mysrv named[28282]: dns_dnssec_findzonekeys2: error reading private key file my.domain.tld/RSASHA1/88950: file not found

it appeared that out of the sudden my named service couldn’t locate the private keys for the domains (there were two files in question. one was the KSK key file, and another one is ZSK key file). i found this weird because all this while i didn’t have such issues without presenting the keys to the named service.

the fix was quite simple: just define key-directory in named.conf that points to a directory that store these files (make sure the user of named service can access it properly), and restart the service.

options {
.
.
 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;
 key-directory "/directory/to/store/key/files";
.
.
};

that’s all i did to fix it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s