DNSSEC, but no RRSIGs
I have recently added two new zones (dns.rock and dns.bike), generated new keys and issuing knot reload
with dnssec-enabled on;
The logfile doesn't show anything helpful:
Aug 11 09:35:54 pagan knot[16184]: Zone 'dns.rocks.' will be loaded (serial 0)
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [error] DNSSEC: Zone dns.rocks. - No keys for signing.
Aug 11 09:35:54 pagan knot[16184]: [error] Zone 'dns.rocks.' failed to store changes in the journal - No keys for signing.
Aug 11 09:35:54 pagan knot[16184]: [error] Zone 'dns.rocks.' event 'reload' failed - No keys for signing.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+15472.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Aug 11 09:35:54 pagan knot[16184]: [warning] DNSSEC: Failed to load key Kdns.rocks.+008+11719.private: Cannot open private key file.
Fixed the permissions on /etc/knot/keys/Kdns.* to knot:knot
Aug 11 09:36:05 pagan knot[16184]: Remote command: 'signzone dns.rocks.'
Aug 11 09:36:05 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Complete resign started (dropping all previous signatures)...
Aug 11 09:36:05 pagan knot[16184]: [error] Zone 'dns.rocks.' event 'DNSSEC resign' failed - Invalid parameter.
Aug 11 09:37:06 pagan knot[16184]: Zone 'dns.rocks.' will be reloaded (serial 0)
Aug 11 09:37:06 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:37:06 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 15472, file Kdns.rocks.+008+15472.private, KSK, active, public
Aug 11 09:37:06 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 11719, file Kdns.rocks.+008+11719.private, KSK, active, public
Aug 11 09:37:06 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Successfully signed.
Aug 11 09:37:06 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Next event on 2014-09-07T09:37:06.
Aug 11 09:37:06 pagan knot[16184]: Zone 'dns.rocks.' loaded (0 -> 1407742626).
Aug 11 09:37:10 pagan knot[16184]: Remote command: 'signzone dns.rocks.'
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Complete resign started (dropping all previous signatures)...
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 15472, file Kdns.rocks.+008+15472.private, KSK, active, public
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 11719, file Kdns.rocks.+008+11719.private, KSK, active, public
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - No signing performed, zone is valid.
Aug 11 09:37:10 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Next event on 2014-09-07T09:37:10.
Aug 11 09:37:10 pagan knot[16184]: [error] NOTIFY of 'dns.rocks.' from '81.91.84.116@53': Server responded with NOTAUTH.
Aug 11 09:37:10 pagan knot[16184]: [warning] NOTIFY of 'dns.rocks.' with '81.91.84.116@53': Failed.
Aug 11 09:37:10 pagan knot[16184]: [error] NOTIFY of 'dns.rocks.' from '2001:1568:b::145@53': Server responded with NOTAUTH.
Aug 11 09:37:10 pagan knot[16184]: [warning] NOTIFY of 'dns.rocks.' with '2001:1568:b::145@53': Failed.
Aug 11 09:37:10 pagan knot[16184]: [error] NOTIFY of 'dns.rocks.' from '2001:1568:b:145::1@53': Server responded with NOTAUTH.
Aug 11 09:37:10 pagan knot[16184]: [warning] NOTIFY of 'dns.rocks.' with '2001:1568:b:145::1@53': Failed.
Aug 11 09:45:02 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@58554': Started (serial 1407742626).
Aug 11 09:45:02 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@58554': Finished in 0.00s (1 messages, ~1.5 KiB).
Aug 11 09:45:29 pagan knot[16184]: Zone 'dns.rocks.' is up-to-date (serial 1407742626)
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing zone...
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 15472, file Kdns.rocks.+008+15472.private, KSK, active, public
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 11719, file Kdns.rocks.+008+11719.private, KSK, active, public
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - No signing performed, zone is valid.
Aug 11 09:45:29 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Next event on 2014-09-07T09:45:29.
Aug 11 09:45:55 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@36025': Started (serial 1407742626).
Aug 11 09:45:55 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@36025': Finished in 0.00s (1 messages, ~1.5 KiB).
Aug 11 09:46:24 pagan knot[16184]: Zone 'dns.rocks.' will be reloaded (serial 1407742626)
Aug 11 09:46:24 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:46:24 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 15472, file Kdns.rocks.+008+15472.private, KSK, active, public
Aug 11 09:46:24 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 11719, file Kdns.rocks.+008+11719.private, KSK, active, public
Aug 11 09:46:24 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Successfully signed.
Aug 11 09:46:24 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Next event on 2014-09-07T09:46:24.
Aug 11 09:46:24 pagan knot[16184]: Zone 'dns.rocks.' loaded (1407742626 -> 1407743184).
Aug 11 09:46:30 pagan knot[16184]: Remote command: 'signzone dns.bike.'
Aug 11 09:46:33 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@44529': Started (serial 1407743184).
Aug 11 09:46:33 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@44529': Finished in 0.00s (1 messages, ~1.5 KiB).
Aug 11 09:47:27 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@60582': Started (serial 1407743184).
Aug 11 09:47:27 pagan knot[16184]: Outgoing AXFR of 'dns.rocks.' with '81.91.84.116@60582': Finished in 0.00s (1 messages, ~1.5 KiB).
Aug 11 09:47:53 pagan knot[16184]: Remote command: 'signzone dns.bike.'
Aug 11 09:48:53 pagan knot[16184]: Zone 'dns.rocks.' is up-to-date (serial 1407743184)
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing zone...
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Signing started...
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 15472, file Kdns.rocks.+008+15472.private, KSK, active, public
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - - Loaded key 11719, file Kdns.rocks.+008+11719.private, KSK, active, public
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - No signing performed, zone is valid.
Aug 11 09:48:54 pagan knot[16184]: DNSSEC: Zone dns.rocks. - Next event on 2014-09-07T09:48:54.
Full configuration, zones and keys sent in private email.