I have REALLY messed up BIND trying to "fix" DNSSEC

J

jasonhirsh

Ok this is a self inflicted wound. I am tuning FreeBSD 13.1 and BIND Version 9.16. I have been trying to get DNSSEC up and operating. And probably playing where I shouldn't.

my log shows the following :

Code: 
Nov 10 17:01:21 triggerfish named[1060]: malformed transaction: /usr/local/etc/namedb/master/kasdivi.com.hosts.signed.jnl last serial 1576903706 != transaction first serial 1576903701
Nov 10 17:01:21 triggerfish named[1060]: zone kasdivi.com/IN (signed): zone_resigninc:dns_journal_write_transaction -> unexpected error

Nov 10 17:06:21 triggerfish named[1060]: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/Kkasdivi.com.+005+29005.private: file not found
Nov 10 17:06:21 triggerfish named[1060]: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/Kkasdivi.com.+005+40861.private: file not found
Nov 10 17:06:21 triggerfish named[1060]: zone kasdivi.com/IN (signed): DNSKEY RRSIG(s) have expired
Nov 10 17:06:21 triggerfish named[1060]: malformed transaction: /usr/local/etc/namedb/master/kasdivi.com.hosts.signed.jnl last serial 1576903706 != transaction first serial 1576903701
Nov 10 17:06:21 triggerfish named[1060]: zone kasdivi.com/IN (signed): zone_resigninc:dns_journal_write_transaction -> unexpected error
the multiple keys I imagine are from past attempts (005+29005 and 005+40861) ... but I have no idea how to removed them from DBSSEC

Any thoughts would be appreciated. or suggestions as to a good guide
 
options {


directory "/usr/local/etc/namedb/working";


pid-file "/var/run/named/pid";


dump-file "/var/dump/named_dump.db";


statistics-file "/var/stats/named.stats";


allow-query-cache { none; };


recursion no;


dnssec-validation yes;


key-directory "/usr/local/etc/namedb/keys";


};


controls {


inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };


};


key rndc-key {


algorithm hmac-sha256;


secret "Qw4uLX8b9RduAD7frgDPU+6QqJ2q8EkMhV5eSLxO7rA=";


};


zone "." {


type hint;


file "/usr/local/etc/namedb/named.root";


};


zone "theoceanwindow.com" {


type master;


file "/usr/local/etc/namedb/master/theoceanwindow.com.hosts";


dnssec-policy default;


};


zone "kasdivi.com" {


type master;


file "/usr/local/etc/namedb/master/kasdivi.com.hosts";


dnssec-policy default;


};


zone "grapestreetgen.com" {


type master;


file "/usr/local/etc/namedb/master/grapestreetgen.com.hosts";


dnssec-policy default;


};


zone "grapestreetvoice.com" {


type master;


file "/usr/local/etc/namedb/master/grapestreetvoice.com.hosts";


dnssec-policy default;


};


zone "wandjbrewers.com" {


type master;


file "/usr/local/etc/namedb/master/wandjbrewers.com.hosts";


dnssec-policy default;


};


zone "filmusfamily.com" {


type master;


file "/usr/local/etc/namedb/master/filmusfamily.com.hosts";


dnssec-policy default;


};


zone "0.0.127.IN-ADDR.ARPA" {


type master;


file "/usr/local/etc/namedb/reverse/0.0.127.IN-ADDR.ARPA";


notify no;


};
Click to expand...
 
You should update your system. 13.1 is EOL.
forums.freebsd.org

Topics about unsupported FreeBSD versions

The FreeBSD Forums cater primarily to end-users and systems administrators. As such, the Forums focus almost exclusively on FreeBSD versions that are officially supported according to the official FreeBSD website. Since resources are scarce, the FreeBSD Forums strongly suggest that anyone asking...
forums.freebsd.org forums.freebsd.org
 
Best practice is not to run EOL software. Do not run EOL software. It will eventually hurt you.

BTW, commercial vendors won't even talk to you if you're running their EOL software.
 
OK. I upgraded to 13.2. and think I have reached my EOL. I am working through the myriad of issues such as dealing with moving to MYSQL 8. On the BIND side my error is now

Nov 11 13:11:47 triggerfish root[1065]: /etc/rc: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
Nov 11 13:11:47 triggerfish root[1074]: /etc/rc: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
Click to expand...

with no DNS services
 
You must log in or register to reply here.
Back
Top