Re: [knot-dns-users] Missing private keys in backup

Hi Libor, I deleted the backup directory a few times, but I receive the same error every time: 2020-12-09T10:31:52+0000 info: control, received command 'zone-backup' 2020-12-09T10:31:52+0000 warning: [xxx.] zone backup failed (not exists) 2020-12-09T10:31:52+0000 error: [xxx.] zone event 'backup/restore' failed (not exists) 2020-12-09T10:31:52+0000 warning: [yyy.] zone backup failed (not exists) 2020-12-09T10:31:52+0000 error: [yyy.] zone event 'backup/restore' failed (not exists) One of the keys is the ZSK of zone xxx and the oterh the KSKS of zone yyy. root@signer-0:/# keymgr xxx list human | grep 1fb3900b2e5ac72d30f927016ea4546ca561a5da 1fb3900b2e5ac72d30f927016ea4546ca561a5da ksk=no zsk=yes tag=39969 algorithm=7 size=1024 public-only=no pre-active=0 publish=-1M3D17h49m4s ready=0 active=-1M3D17h49m4s retire-active=0 retire=0 post-active=0 revoke=0 remove=0 root@signer-0:/# keymgr yyy list human | grep 087cc573318e070befff1d9cbcf07e3b5cf5444d 087cc573318e070befff1d9cbcf07e3b5cf5444d ksk=yes zsk=no tag=37419 algorithm=7 size=2048 public-only=no pre-active=0 publish=-1M3D18h11m7s ready=-1M3D18h11m7s active=-26D12h49m4s retire-active=0 retire=0 post-active=0 revoke=0 remove=0 Best regards, Thomas On 09.12.20 11:15, libor.peltan wrote: > Hi Thomas, > > could you please try if this issue is reproducible: if whenever you > attempt the backup (to a fresh empty target directory), it fails with > "not exists"? > > Could you please check if the keys that happen to make it to the backup > belong to the same zone, or that it's one from each zone? (You light use > `keymgr list` to check which key ID belongs to which zone.) > > Thanks, > > Libor > > Dne 08. 12. 20 v 21:36 Thomas napsal(a): >> Hi Libor, >> >> sorry, I was really too unspecific. >> >> I'm hosting 2 zones. These 4 keys are on the production machine: >> >> root@signer-0:/var/lib/knot/keys/keys# ls -alh >> >> >> -rw-r----- 1 knot knot 1,7K Nov  5 16:22 >> 087cc573318e070befff1d9cbcf07e3b5cf5444d.pem >> -rw-r----- 1 knot knot  916 Nov  5 16:44 >> 1fb3900b2e5ac72d30f927016ea4546ca561a5da.pem >> -rw-r----- 1 knot knot  916 Nov  5 16:22 >> 6ebb8eb3ec2ddaf150119b4bc11b47dcec91621a.pem >> -rw-r----- 1 knot knot 1,7K Nov  5 16:44 >> d7e47e2909f4d5947d8fb8684cb79ed06feb4b0a.pem >> >> >> Performing a backup with the following command: >> >> # knotc zone-backup +backupdir /tmp/backup >> >> Backup directory after performing the backup shows: >> >> root@signer-0:/tmp/backup/keys/keys# ls -ahl >> >> -rw-r----- 1 knot knot 1,7K Dez  8 20:21 >> 087cc573318e070befff1d9cbcf07e3b5cf5444d.pem >> -rw-r----- 1 knot knot  916 Dez  8 20:21 >> 1fb3900b2e5ac72d30f927016ea4546ca561a5da.pem >> >> 2 keys are missing. >> >> Hhmm ok, there is an error in the log: >> >> 2020-12-08T20:26:43+0000 info: control, received command 'zone-backup' >> 2020-12-08T20:26:43+0000 warning: [xxx.] zone backup failed (not exists) >> 2020-12-08T20:26:43+0000 error: [xxx.] zone event 'backup/restore' >> failed (not exists) >> 2020-12-08T20:26:43+0000 warning: [yyy.] zone backup failed (not exists) >> 2020-12-08T20:26:43+0000 error: [yyy.] zone event 'backup/restore' >> failed (not exists) >> >> I'm using the latest knot version. >> >> >> Best regards, >> >> Thomas >> >> >> >> Am 08.12.20 um 16:56 schrieb libor.peltan: >>> Hi Thomas, >>> >>> could you be more specific about "half of private keys were in the >>> backup" ? How many were, how many weren't, and was there some obvious >>> difference between them? >>> >>> Could you share the log snippets covering the backup and the restore >>> procedures? >>> >>> Thanks, >>> >>> Libor >>> >>> Dne 08. 12. 20 v 16:48 Thomas E. napsal(a): >>>> Hi (again), >>>> >>>> I was trying to backup and restore a server with the new knotc >>>> zone-backup/restore command. >>>> >>>> I recognized that only half of the private keys were in the backup, >>>> which leads to an error: >>>> >>>> 2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load private >>>> keys (not exists) >>>> 2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load keys (not >>>> exists) >>>> >>>> Shouldn't the backup contain all private keys? >>>> >>>> >>>> Thanks, >>>> Thomas