Bind DNS
Common Issues
Issue: server booted with a time in the future, and bind / named downloaded the trust information with a future timestamp
Often you'll see this in the logs:
validating ./DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'
managed-keys-zone: No valid trust anchors for '.'
Solution:
1) shut down named
2) delete /var/named/dynamic/managed-keys.bind.jnl and create file just containing:
;BIND LOG V9
8
3) ensure new file is owned by the named user.
4) start up named
You'll see something like this in the logs:
Apr 28 12:49:00 XXXXXX named[4093]: managed-keys-zone: journal rollforward failed: no more
Apr 28 12:49:00 XXXXXX named[4093]: managed-keys-zone: unable to load from '/var/named/dynamic/managed-keys.bind.jnl'; renaming file to '/var/named/dynamic/jn-xMvuHJmM' for failure analysis and retransferring.
And then your dnssec should start working again...
There's probably better ways to trigger the resolution, but the above seems to work....
No comments to display
No comments to display