Skip to content

Can't get DNSSEC to work under Knot 2.3.0 / LEDE 17.01.0

Hello. I can't seem to make the automatic DNSSEC signing work and I don't know what else to do. Knot otherwise works fine without the

    dnssec-signing: on
    dnssec-policy: default

Here is my config:

#
# This is a sample of a minimal configuration file for Knot DNS.
# For more details, see man 5 knot.conf or refer to the server documentation.
#

server:
    # Listen on all configured IPv4 interfaces.
    # listen: 0.0.0.0@53
    # Listen on all configured IPv6 interfaces.
    listen: 2a01:8c00:ffe6:1::53@53
    # User for running the server.
    user: knot:knot

log:
    # Log info and more serious events to syslog.
  - target: syslog
    any: info

remote:
#  - id: slave
#    address: 203.0.113.1@53
#
#  - id: master
#    address: 198.51.100.1@53

acl:
#  - id: acl_slave
#    address: 203.0.113.1
#    action: transfer

#  - id: acl_master
#    address: 198.51.100.1
#    action: notify

template:
  - id: default
    storage: "/etc/knot/zones"
    dnssec-signing: on
    dnssec-policy: default

zone:
  - domain: 6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa

  - domain: prg.renekliment.cz

#    # Master zone.
#  - domain: example.com
#    file: "example.com.zone"
#    notify: slave
#    acl: acl_slave

#    # Slave zone.
#  - domain: example.net
#    master: master
#    acl: acl_master

System log:

Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: Knot DNS 2.3.0 starting
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: binding to interface '2a01:8c00:ffe6:1::53@53'
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: changing GID to '5353'
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: changing UID to '5353'
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: loading 2 zones
Thu Feb 23 08:50:32 2017 daemon.warn knot[4233]: warning: cannot open persistent timers DB '/etc/knot/zones/timers' (invalid parameter)
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] zone will be loaded
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] zone will be loaded
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: starting server
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] zone loader, semantic check, completed
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] zone loader, semantic check, completed
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] DNSSEC, loaded key, tag 37091, algorithm 13, KSK yes, ZSK no, public yes, active yes
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] DNSSEC, loaded key, tag 13816, algorithm 13, KSK no, ZSK yes, public yes, active yes
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] DNSSEC, loaded key, tag 53984, algorithm 13, KSK yes, ZSK no, public yes, active yes
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] DNSSEC, loaded key, tag  3664, algorithm 13, KSK no, ZSK yes, public yes, active yes
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] DNSSEC, signing started
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] DNSSEC, signing started
Thu Feb 23 08:50:32 2017 daemon.info knot[4233]: info: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] DNSSEC, successfully signed
Thu Feb 23 08:50:32 2017 daemon.err knot[4233]: error: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] failed to store changes into journal (failed)
Thu Feb 23 08:50:32 2017 daemon.err knot[4233]: error: [6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa] zone event 'load' failed (failed)
Thu Feb 23 08:50:33 2017 daemon.info knot[4233]: info: [prg.renekliment.cz] DNSSEC, successfully signed
Thu Feb 23 08:50:33 2017 daemon.err knot[4233]: error: [prg.renekliment.cz] failed to store changes into journal (failed)
Thu Feb 23 08:50:33 2017 daemon.err knot[4233]: error: [prg.renekliment.cz] zone event 'load' failed (failed)
Thu Feb 23 08:50:33 2017 daemon.info knot[4233]: info: server started in the foreground, PID 4233
Thu Feb 23 08:50:33 2017 daemon.info knot[4233]: info: control, binding to '/var/run/knot/knot.sock'

Some output to see file permissions, etc.:

root@prg:/etc/knot# ls -la . zones/
.:
drwxr-xr-x    3 knot     knot             0 Feb 23 08:50 .
drwxr-xr-x    1 root     root             0 Feb 22 14:25 ..
-rw-r-----    1 knot     knot          1092 Feb 23 08:50 knot.conf
drwxr-xr-x    4 knot     knot             0 Feb 22 15:56 zones

zones/:
drwxr-xr-x    4 knot     knot             0 Feb 22 15:56 .
drwxr-xr-x    3 knot     knot             0 Feb 23 08:50 ..
-rw-r-----    1 knot     knot         26792 Feb 23 08:50 6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa.db
-rw-r--r--    1 knot     knot           530 Feb 22 15:09 6.e.f.f.0.0.c.8.1.0.a.2.ip6.arpa.zone
drwxr-x---    3 knot     knot             0 Feb 22 15:52 keys
-rw-r-----    1 knot     knot         28826 Feb 23 08:50 prg.renekliment.cz.db
-rw-r--r--    1 knot     knot           926 Feb 22 15:09 prg.renekliment.cz.zone
drwxrwx---    2 knot     knot             0 Feb 22 15:52 timers
root@prg:/etc/knot# ps | grep knot
 4233 knot     75516 S    /usr/sbin/knotd -c /etc/knot/knot.conf
 4264 root      1184 S    grep knot

Any help on this would be appreciated. Thank you.