FreeBSD-12
BIND-9.11
After some effort I have changed the error. Now I see this:
07-Jun-2019 18:01:25.299 zone parschecks/IN/public (unsigned): loaded serial 2019070701 (DNSSEC signed)
07-Jun-2019 18:01:25.299 dns_master_load: file format mismatch (not raw)
07-Jun-2019 18:01:25.299 zone parschecks.ca/IN/public (signed): loading from master file /usr/local/etc/namedb/master/parschecks.ca.hosts.signed failed: not implemented
07-Jun-2019 18:01:25.299 zone parschecks/IN/public (signed): not loaded due to errors.
Original question:
I have this domain which reports that its key has expired when I reload named:
Jun 7 15:32:24 dns38 named[19583]: /usr/local/etc/namedb/master/parschecks.ca.hosts:53: signature has expired
Jun 7 15:32:25 dns38 named[19583]: zone parschecks.ca/IN/public (signed): receive_secure_serial: unchanged
However I have manually signed this domain:
2019-06-07 15:26:34: dnssec-keygen -f KSK -a ECDSAP256SHA256 -n ZONE parschecks.ca
2019-06-07 15:26:50: dnssec-keygen -a ECDSAP256SHA256 -n ZONE parschecks.ca
2019-06-07 15:27:05: dnssec-signzone -N increment -S -o parschecks.ca parschecks.ca.hosts Kparschecks.ca.+013+37572
And the hosts files seem to have been updated:
-rw-r--r-- 1 bind bind 609 Mar 12 12:59 Kparschecks.ca.+008+29077.key
-rw------- 1 bind bind 1776 Mar 12 12:59 Kparschecks.ca.+008+29077.private
-rw-r--r-- 1 bind bind 479 Mar 12 12:59 Kparschecks.ca.+008+32223.key
-rw------- 1 bind bind 1200 Mar 12 12:59 Kparschecks.ca.+008+32223.private
-rw-r--r-- 1 bind bind 479 Feb 19 21:17 Kparschecks.ca.+008+43116.key
-rw------- 1 bind bind 1200 Feb 19 21:17 Kparschecks.ca.+008+43116.private
-rw-r--r-- 1 bind bind 346 Jun 7 15:24 Kparschecks.ca.+013+35858.key
-rw------- 1 bind bind 187 Jun 7 15:24 Kparschecks.ca.+013+35858.private
-rw-r--r-- 1 bind bind 346 Jun 7 15:26 Kparschecks.ca.+013+37572.key
-rw------- 1 bind bind 187 Jun 7 15:26 Kparschecks.ca.+013+37572.private
-rw-r--r-- 1 bind bind 345 Jun 7 15:26 Kparschecks.ca.+013+50724.key
-rw------- 1 bind bind 187 Jun 7 15:26 Kparschecks.ca.+013+50724.private
-rw-r--r-- 1 bind bind 344 Jun 7 15:27 dsset-parschecks.ca.
-rw-r--r-- 1 bind bind 9515 Apr 18 12:03 parschecks.ca.hosts
-rw-r--r-- 1 bind bind 512 Mar 22 17:28 parschecks.ca.hosts.jbk
-rw-r--r-- 1 bind bind 2395 Apr 18 12:28 parschecks.ca.hosts.jnl
-rw-r--r-- 1 bind bind 15960 Jun 7 15:32 parschecks.ca.hosts.signed
-rw-r--r-- 1 bind bind 128161 Jun 7 15:43 parschecks.ca.hosts.signed.jnl
named.conf contains this:
zone "parschecks.ca" {
type master;
file "/usr/local/etc/namedb/master/parschecks.ca.hosts";
key-directory "/usr/local/etc/namedb/master/";
auto-dnssec maintain;
inline-signing yes;
};
We are in the process of moving to inline signing but we have not managed to get it working as yet. If we remove the auto maintain clauses from the zone entry in named.conf the zone file is still reported as being expired.
rndc -s 127.0.0.1 reload parschecks.ca
zone reload up-to-date
Nothing has been changed in the hosts file. But it will not load after resigning. What step am I missing?