# bind will not load dnssec keys



## tunage (Dec 20, 2015)

My rndc errors trying to add a zone, which then makes loading a key impossible. It will sign the zone and create the files (.jnl and .signed), but that's it.
So it can/does read the key files, no permissions error and does accept the zone.

master attempt:


```
# rndc addzone domain.com in external '{type master; auto-dnssec maintain; inline-signing yes; key-directory "/home/ex-mailer-domains/domain.com/"; file "/home/mailer-domains/domain.com/domain.com.external"; update-policy { grant ddns-key zonesub ANY; };};'
# rndc loadkeys domain.com
# rndc signing -nsec3param 1 0 10 03F92714 domain.com.
```


master logs:


```
20-Dec-2015 22:46:35.959 general: error: zone domain.com/IN/external (signed): receive_secure_serial: unchanged
20-Dec-2015 22:56:34.930 general: error: zone domain.com/IN/external (signed): could not get zone keys for secure dynamic update
```



slave attempt:


```
# rndc delzone domain.com
The following files were in use and may now be removed:
/home/mailer-domains/domain.com/domain.com.external
/home/mailer-domains/domain.com/domain.com.external.signed
# rm /home/mailer-domains/domain.com/domain.com.external.signed
# rm /home/mailer-domains/domain.com/domain.com.external
# rndc addzone domain.com in external '{type slave; masters {108.61.190.64; }; auto-dnssec maintain; inline-signing yes; key-directory "/home/mailer-domains/domain.com"; file "/home/mailer-domains/domain.com/domain.com.external";};'
```


logs:


```
20-Dec-2015 20:59:49.777 general: error: dns_master_load: file format mismatch (not raw)
20-Dec-2015 20:59:49.777 general: error: zone domain.com/IN/external (unsigned): loading from master file /home/mailer-domains/domain.com/domain.com.external failed: not implemented
20-Dec-2015 20:59:49.779 general: warning: zone domain.com/IN/external (unsigned): unable to load from '/home/mailer-domains/domain.com/domain.com.external'; renaming file to '/home/mailer-domains/domain.com/db-bLOO3GyE' for failure analysis and retransferring.
20-Dec-2015 20:59:50.616 general: error: zone domain.com/IN/external (signed): receive_secure_serial: unchanged
20-Dec-2015 20:59:50.616 general: error: zone domain.com/IN/external (signed): receive_secure_serial: unchanged
```



key method:

```
# dnssec-keygen -a RSASHA256 -b 2048 -3 domain.com
Generating key pair..........................................................................................+++ ..................................................................................................................................+++
Kdomain.com.+008+61488
# dnssec-keygen -a RSASHA256 -b 2048 -3 -fk domain.com
Generating key pair..................+++ ................................................................................................................................+++
Kdomain.com.+008+50422



# rndc signing -list domain.com
Pending NSEC3 chain 1 0 10 03F92714
```


----------



## SirDice (Dec 21, 2015)

On what version of FreeBSD? And did you use the BIND that came with the OS or did you install a package or port?


----------



## tunage (Dec 21, 2015)

SirDice said:


> On what version of FreeBSD? And did you use the BIND that came with the OS or did you install a package or port?



`# freebsd-version`

```
10.1-RELEASE-p5
```

ports installation


----------



## tunage (Dec 23, 2015)

Update:
I am removing inline signing from my configuration. this technology is completely broke. There is zero support as well.
I have had 'many' issues with Bind and DNSsec and now on a path to deleting it all together.
Don't bother with bind inline signing.
Phuck bind all together.
And you can forget trying bind10, the entire bind team is completely lost.

[15:10:52] <tunage> is there a bind10 quickstart guide? the one I found seems a little dated  http://kea.isc.org/~jreed/bind10-guide.html#bind10.config https://bpaste.net/show/ba12c0ce62
15:33:19] <lunaphyte> there is no bind10
[15:51:05] <tunage> lunaphyte: /usr/ports/dns/bind10/  ?
[15:52:17] <tunage> http://kea.isc.org/~jreed/bind10-guide.html#bind10.config  -> Section 3.1. Starting BIND 10
[16:12:33] <tunage> Is this like one of those Prince things? The DNS server formally known as Bind?  is it a hand signal now?  o.0


----------



## SirDice (Dec 23, 2015)

BIND 10 was a development version and does indeed not exist any more. The port will be removed at the end of this month. The project itself has been renamed to Bundy.

https://www.isc.org/downloads/platform/


----------



## tunage (Dec 23, 2015)

SirDice said:


> BIND 10 was a development version and does indeed not exist any more. The port will be removed at the end of this month. The project itself has been renamed to Bundy.
> 
> https://www.isc.org/downloads/platform/



OMG, Prince lives as Bundy now??   

So, it's really junk...
Thank you!


----------



## SirDice (Dec 23, 2015)

It really doesn't help your cause by calling the software these people work on "junk". 

I will, gently, point you to rules 3, 4 and 5: Thread freebsd-forums-rules.38922/.


----------



## tunage (Dec 23, 2015)

SirDice said:


> It really doesn't help your cause by calling the software these people work on "junk".
> 
> I will, gently, point you to rules 3, 4 and 5: Thread freebsd-forums-rules.38922/.



I probably should of used better verbiage, though the point to be made would be just the same.

I have been fighting this issue for some time but via static configs and not through rndc. The error baffled me before but via rndc you can undeniably tell that if you ram a few keys into bind, it will choke out and sometimes completely, with no real way to debug where the issues is coming from.

It gives all of the signs of a stuck key but `rndc flush` or `rndc reload` won't kick it out. You can create all new zone files fresh into a clean directory and change the serial number. Same issue.

I am writing code that requires me to reload keys a number of times and bind just pukes and dies after about #4 or #5. Sometimes you can recover the system, sometimes you cannot. I have had to reinstall complete systems just to unchoke bind9.10 and 9.9 dnssec keys.

You can forget the Bind mailing list, the registration is nonfunctional and the IRC channel is horrid. Bind is having major issues.

I'm looking into PowerDNS and that project appears to be hopping!


----------

