Re: [knot-dns-users] Knot DNS 1.99.1 (preview of DNSSEC with KASP)

Hello, a couple of things I noticed: 1. `keymgr zone add example.com policy XX' does not complain if the XX policy doesn't exist, nor if the specified zone isn't configured in knot.conf. 2. I created a config as in the example on [1] with a single, tiny, zone and started the daemon afresh: Feb 13 16:58:32 knot knot[24845]: info: Knot DNS 1.99.1 starting Feb 13 16:58:32 knot knot[24845]: info: binding to interface '0.0.0.0@53' Feb 13 16:58:32 knot knot[24845]: info: binding to interface '::@53' Feb 13 16:58:32 knot knot[24845]: info: configured 2 interfaces and 1 zones Feb 13 16:58:32 knot knot[24845]: info: changing UID to '1000' Feb 13 16:58:32 knot knot[24845]: info: PID stored in '/usr/local/var/run/knot/knot.pid' Feb 13 16:58:32 knot knot[24845]: info: changed directory to / Feb 13 16:58:32 knot knot[24845]: info: loading zones Feb 13 16:58:32 knot knot[24845]: info: [k20.aa] zone will be loaded, serial 0 Feb 13 16:58:32 knot knot[24845]: info: starting server Feb 13 16:58:32 knot knot[24845]: info: [k20.aa] DNSSEC, executing event 'generate initial keys' Feb 13 16:58:33 knot knot[24845]: error: [k20.aa] DNSSEC, failed to execute event (not enough memory) Feb 13 16:58:33 knot knot[24845]: error: [k20.aa] DNSSEC, failed to process events (unknown error -12) Feb 13 16:58:33 knot knot[24845]: error: [k20.aa] failed to store changes into journal (unknown error -12) Feb 13 16:58:33 knot knot[24845]: error: [k20.aa] zone reload failed (unknown error -12) Feb 13 16:58:33 knot knot[24845]: info: server started as a daemon, PID 24845 Feb 13 16:58:33 knot knot[24845]: info: binding remote control interface to '/usr/local/var/run/knot/knot.sock' I really don't think 'not enough memory' can be the reason. :) $ knotc memstats 2015-02-13T16:58:58 info: [k20.aa] 3 RRs, used memory estimation is 0 MB 2015-02-13T16:58:58 info: estimated memory consumption for all zones is 0 MB $ free total used free shared buffers cached Mem: 1048576 94948 953628 0 0 81396 -/+ buffers/cache: 13552 1035024 Swap: 524288 4880 519408 The KASP contains: $ cat policy_jp.json { "algorithm": 10, "dnskey_ttl": 1200, "ksk_size": 2048, "zsk_size": 1024, "zsk_lifetime": 2592000, "rrsig_lifetime": 1209600, "rrsig_refresh_before": 604800, "nsec3_enabled": false, "soa_minimal_ttl": 0, "zone_maximal_ttl": 0, "propagation_delay": 3600 } $ cat zone_k20.aa.json { "policy": "jp", "keys": [] } $ ls -l keys # (after 5 or 6 start attempts) -rw-r----- 1 knot root 916 Feb 13 16:53 3b049186c134727344dc80b120ddc2c00e62aec5.pem -rw-r----- 1 knot root 916 Feb 13 16:55 5b0e47b34228aff884a424696055f9bdc772e14c.pem -rw-r----- 1 knot root 912 Feb 13 16:54 5e94000ca936730f5996a7958a719d2f72bb2ad1.pem -rw-r----- 1 knot root 1704 Feb 13 16:57 6419e0ccffcdd2e4b18c10a214c9638fd92ce111.pem -rw-r----- 1 knot root 1704 Feb 13 16:54 751349b03c28d0159d812ef45a1435f7fae508d2.pem -rw-r----- 1 knot root 1704 Feb 13 16:53 858ec94a2d67d2cc52ab9f119fab804cb7e9c789.pem -rw-r----- 1 knot root 1708 Feb 13 16:56 98fcde8448d9088f41962138d0191d7ecb05b4fd.pem -rw-r----- 1 knot root 916 Feb 13 16:57 cf4ce3c2dc2b19e85d01c4a6505b70107a4d457a.pem -rw-r----- 1 knot root 1704 Feb 13 16:55 deb79a52e0ce28e647593e5b738d35fa4b8f5f5f.pem -rw-r----- 1 knot root 916 Feb 13 16:56 f266eb8fda589e5ffbf222b7c6e906db6187a358.pem -rw-r----- 1 knot root 1704 Feb 13 16:58 f7ad92de2535110119681aa2c163bf0a105141bb.pem -rw-r----- 1 knot root 916 Feb 13 16:58 f96530696293f79b5365d77fc8869da225eb31f1.pem ^^^ the content of each of the .pem files *is* a private key $ cat knot.conf zones { storage "/usr/local/var/lib/knot"; dnssec-keydir "/etc/kasp"; k20.aa { file "/usr/local/etc/knot/k20/k20.aa.zone"; dnssec-enable on; } } Any query to this zone results in a SERVFAIL. If I remove `dnssec-enable', the server responds correctly. This is running on Debian 7, 2.6.32-16-pve #1 SMP Fri Nov 9 11:42:51 CET 2012 x86_64 GNU/Linux built with GnuTLS gnutls-3.3.9 and nettle 2.7. Regards, -JP [1] https://gitlab.labs.nic.cz/labs/knot/wikis/kasp-setup