[knot-dns-users] Knot 2.5.2 fails to load DNSSEC keys

Antti Ristimäki antti at nxdomain.fi
Tue Jun 27 06:25:53 CEST 2017


Hi,

My Knot DNS was upgraded from 2.5.1 to 2.5.2 and now it is unable to
load zone DNSSEC keys. Below are some relevant logs:

Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] zone will be
loaded
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 14223, algorithm 8, KSK no, ZSK yes, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: info: [nxdomain.fi.] DNSSEC,
loaded key, tag 61894, algorithm 8, KSK yes, ZSK no, public no, ready
no, active yes
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC, keys
validation failed (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] DNSSEC,
failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: 2017-06-27T07:10:03 error:
[nxdomain.fi.] DNSSEC, failed to load keys (no keys for signing)
Jun 27 07:10:03 vertigo knotd[18479]: error: [nxdomain.fi.] zone event
'load' failed (no keys for signing)

When running "keymgr nxdomain.fi list", the keys are listed, though. I
have also checked that the /var/lib/knot and everything under it is
owned by knot:knot, so this shouldn't be a file permission issue. I also
tried to manually set the key timing argument, but it didn't make any
difference.

Antti


More information about the knot-dns-users mailing list