Login or Register to Ask a Question and Join Our Community


IP Networking

Bind9 DNSSEC and rollerd

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums IP Networking Bind9 DNSSEC and rollerd
# 1  
Old 11-25-2014
Hammer & Screwdriver [solved] Bind9 DNSSEC and rollerd
Hi all,
I've a litte problem to get rollerd running and signing my zones if the ZSK of my zones are near expiring or expired.

rollerd is running but do nothing

startet with:

Code:
/usr/bin/perl /usr/sbin/rollerd -rrfile /etc/bind/all.rollrec -directory /etc/bind -logfile /dev/stdout

all.rollrec file:

Code:
skip    "info rollrec"
        version         "2"

roll    "mindorf-netz.de"
        zonename        "mindorf-netz.de"
        zonefile        "/etc/bind/zone-mindorf-netz.de.signed"
        keyrec          "/etc/bind/mindorf-netz.de.krf"
        administrator   "zonemaster@mindorf-netz.de"
        kskphase        "0"
        zskphase        "0"
        ksk_rolldate    "Thu Nov 20 11:33:43 2014"
        ksk_rollsecs    "1416483223"
        zsk_rolldate    "Thu Nov 20 11:33:43 2014"
        zsk_rollsecs    "1416483223"
        maxttl          "0"
        display         "1"
        phasestart      "new"
        # optional records for RFC5011 rolling:
        istrustanchor   "no"
        holddowntime    "60D"

and my krf:

Code:
zone    "mindorf-netz.de"
        keyrec_type     "zone"
        zonefile        "zone-mindorf-netz.de"
        keyrec_signsecs "1416580022"
        keyrec_signdate "Fri Nov 21 14:27:02 2014"
        lastset         "mindorf-netz.de-signset-00003"
        signedzone      "/etc/bind/zone-mindorf-netz.de.signed"
        zskdirectory    "/data/bind/etc"
        kskdirectory    "/data/bind/etc"
        archivedir      "/var/lib/dnssec-tools/archive"
        endtime         "1800"
        kskcount        "1"
        zskcount        "1"
        zskcur          "mindorf-netz.de-signset-00001"
        zskpub          "mindorf-netz.de-signset-00002"
        szopts          "-O full"
        kskcur          "mindorf-netz.de-signset-00003"
        serial          "2014112020"
        rollmgr         "rollerd"
        lastcmd         "-krfile mindorf-netz.de.krf -szopts -O full -genkeys -usensec3 -zone mindorf-netz.de zone-mindorf-netz.de"

set     "mindorf-netz.de-signset-00001"
        keyrec_setsecs  "1416478797"
        keyrec_setdate  "Thu Nov 20 10:19:57 2014"
        zonename        "mindorf-netz.de"
        set_type        "zskcur"
        keys            "Kmindorf-netz.de.+008+11061"

set     "mindorf-netz.de-signset-00002"
        keyrec_setsecs  "1416478797"
        keyrec_setdate  "Thu Nov 20 10:19:57 2014"
        zonename        "mindorf-netz.de"
        set_type        "zskpub"
        keys            "Kmindorf-netz.de.+008+29604"

key     "Kmindorf-netz.de.+008+11061"
        keyrec_type     "zskcur"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/data/bind/etc/Kmindorf-netz.de.+008+11061.key"
        zsklength       "1024"
        zsklife         "604800"
        keyrec_gensecs  "1416478798"
        keyrec_gendate  "Thu Nov 20 10:19:58 2014"
        zonename        "mindorf-netz.de"

key     "Kmindorf-netz.de.+008+29604"
        keyrec_type     "zskpub"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/data/bind/etc/Kmindorf-netz.de.+008+29604.key"
        zsklength       "1024"
        zsklife         "604800"
        keyrec_gensecs  "1416478798"
        keyrec_gendate  "Thu Nov 20 10:19:58 2014"
        zonename        "mindorf-netz.de"

set     "mindorf-netz.de-signset-00003"
        keyrec_setsecs  "1416478798"
        keyrec_setdate  "Thu Nov 20 10:19:58 2014"
        zonename        "mindorf-netz.de"
        set_type        "kskcur"
        keys            "Kmindorf-netz.de.+008+30394"

key     "Kmindorf-netz.de.+008+30394"
        keyrec_type     "kskcur"
        algorithm       "rsasha256"
        random          "/dev/urandom"
        keypath         "/data/bind/etc/Kmindorf-netz.de.+008+30394.key"
        ksklength       "2048"
        ksklife         "15768000"
        revperiod       "3888000"
        keyrec_gensecs  "1416478798"
        keyrec_gendate  "Thu Nov 20 10:19:58 2014"
        zonename        "mindorf-netz.de"



Has someone an idea why it is not signing my zones?

Regards,
xabbu
Last edited by xabbu; 12-19-2014 at 04:04 AM.. Reason: found solution
# 2  
Old 12-19-2014
Hi all,

I've found that bind can do most things out of the box.

Regards,
xabbu
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Need help with dnscrypt and dnssec

Hi, I currently have dnscrypt working, and now, I want to add dnssec. dnscrypt is basically a daemon running, and it's configured to 127.0.0.1 under dns in wifi. I have installed dnsmasq, and I am ready to enable dnssec in /usr/local/etc/dnsmasq.conf. My question is the following. Do I... (2 Replies)
Discussion started by: macos22
2 Replies

2. Red Hat

How do I set up dnssec ?

Hi, I am receiving 'no valid signatures' errors in /var/log/messages. I understand that it would be gone if I set 'dnssec-enable no' in named.conf. But I want to let it be (i.e 'dnssec-enable yes'). Please help! (0 Replies)
Discussion started by: madhupnetfundu
0 Replies

3. UNIX for Dummies Questions & Answers

Bind9 non existing ip , time of query

how can i set default permission for nslookup, i have in my nslookup timeout = 0 retry = 3 port = 53 but i want to set it to : timeout = 2 retry = 2 port = 53 i'm using bind9 , where can i set the default timeout for it? thanks in advance (0 Replies)
Discussion started by: prpkrk
0 Replies

4. UNIX for Advanced & Expert Users

Can I use bind9 to resolve only ONE hostname in a zone?

Hi there, I have the following problem. I have a Debian server with bind9. I can also use my ISP DNS server through the internet box (192.168.1.1). I would like to fool my client workstation to a local machine when they query for one specific hostname within a domain. I want to let the... (5 Replies)
Discussion started by: kokonut95
5 Replies

5. UNIX and Linux Applications

bind9 with ldap using dlz

Hello guys, can anyone help me with the below error I'm getting from bind9? I'm trying to make bind read all the zone info from openldap, I have already created the schema and I've put some info into the ldap. I have also tried to google the error with no success. I'm aware there is an problem... (1 Reply)
Discussion started by: yered
1 Replies

6. Solaris

Problem with running ./configure for DNSSEC-Tools 1.5

checking size of short... configure: error: cannot compute sizeof (short), 77 See `config.log' for more details. configure: error: /bin/bash './configure' failed for validator Above are the last few lines shown before ./configure ended and it was not successful. What am I lacking of? ... (1 Reply)
Discussion started by: kagi182
1 Replies

7. IP Networking

Conditional Forwarding using BIND9

Hello, I'm a noob when it comes to DNS and BIND9, so forgive me if my description seems pedantic: I connect to my workplace's network using VPN, which sets me up with the workplace DNS servers. Those servers manage the an internal namespace (visible only to users inside the VPN), with a... (5 Replies)
Discussion started by: neked
5 Replies
Login or Register to Ask a Question