DNSSEC question

Matthew Seaman matthew at FreeBSD.org
Sat Jun 8 12:00:20 UTC 2019 

On 08/06/2019 01:25, James B. Byrne via freebsd-questions wrote:
> We are running a DNS master using the BIND-9.11 pkg for FreeBDS-12.0p5.
> 
> We have run into a problem with a couple of our domains that use
> DNSSEC.  Specifically we have started to see this error when loading
> those zones:
> 
> 07-Jun-2019 19:58:56.342 zone harte-lyne.ca/IN/public (unsigned):
> loaded serial 2019070706
> 07-Jun-2019 19:58:56.342 dns_master_load: file format mismatch (not raw)
> 07-Jun-2019 19:58:56.342 zone harte-lyne.ca/IN/public (signed):
> loading from master file
> /usr/local/etc/namedb/master/harte-lyne.ca.hosts.signed failed: not
> implemented
> 07-Jun-2019 19:58:56.342 zone harte-lyne.ca/IN/public (signed): not
> loaded due to errors.
> 
> I have searched for a solution to this for hours and the only solution
> that I found for this specific error is to add the clause:
> 
>         masterfile-format text;
> 
> to the zone declaration block in named.conf.  However, this changes
> nothing.  The error persists.
> 
> What is it about the hosts.signed file that BIND complaining about?
> 
> I need to get this fixed but I am out of ideas as to what is really
> wrong.
> 

Hmmm... the 'file format mismatch' error message may be a bit of a red
herring.  Bind is working fine for me with DNSSEC enabled, text format
files and nothing in the config declaring what the zone file format is.

The one thing that leaps out at me from your log extract is that you
seem to be loading both an unsigned copy of the harte-lyne.ca zone:

> 07-Jun-2019 19:58:56.342 zone harte-lyne.ca/IN/public (unsigned):
> loaded serial 2019070706

and then a signed copy:

> 07-Jun-2019 19:58:56.342 zone harte-lyne.ca/IN/public (signed):
> loading from master file

Does named-checkzone(8) (or named-compilezone(8)) give you any clues?

Also, be careful of any journal files named creates -- if you have any
of the automatic zone maintenance functionality of bind enabled or you
are using dynamic updating at all, then you should 'rndc freeze
zonename' the zone before replacing the zone file, and then 'rndc thaw
zonename' afterwards.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190608/c6c3de14/attachment.sig>

More information about the freebsd-questions mailing list