Solved Problems with dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)

OlliP

New Member

Thanks: 1
Messages: 14

#1
Hi,

I'm using FreeBSD V11 and Bind911. But this doesn't work for correct.

Actually my problem is to configure named(8) with DNSSEC.


Code:
Feb 27 18:34:01 freeBSD named[3084]: starting BIND 9.11.2-P1 <id:2c2bc60>
Feb 27 18:34:01 freeBSD named[3084]: running on FreeBSD amd64 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     [email]root@releng2.nyi.freebsd.org[/email]:/usr/obj/usr/src/sys/GENERIC
Feb 27 18:34:01 freeBSD named[3084]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--with-lmdb' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-threads' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/lo
Feb 27 18:34:01 freeBSD named[3084]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Feb 27 18:34:01 freeBSD named[3084]: ----------------------------------------------------
Feb 27 18:34:01 freeBSD named[3084]: BIND 9 is maintained by Internet Systems Consortium,
Feb 27 18:34:01 freeBSD named[3084]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Feb 27 18:34:01 freeBSD named[3084]: corporation.  Support and training for BIND 9 are 
Feb 27 18:34:01 freeBSD named[3084]: available at [URL]https://www.isc.org/support[/URL]
Feb 27 18:34:01 freeBSD named[3084]: ----------------------------------------------------
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(21, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(22, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: /usr/local/etc/namedb/named.conf:78: WARNING: the DLV server at 'dlv.isc.org' is expected to cease operation by the end of January 2017
Feb 27 18:34:01 freeBSD named[3084]: /usr/local/etc/namedb/named.conf:78: WARNING: the DLV server at 'dlv.isc.org' is expected to cease operation by the end of January 2017
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(23, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: command channel listening on 0.0.0.0#953
Feb 27 18:34:01 freeBSD named[3084]: all zones loaded
Feb 27 18:34:01 freeBSD named[3084]: running
root@freeBSD:/usr/local/etc/namedb # dnssec-signzone -o ollip-it.de -k keys/Kollip-it.de.+005+57096.key master/ollip-it.de keys/Kollip-it.de.+005+54799.key
dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)

root@freeBSD:/usr/local/etc/namedb #
Here is my named.conf
Code:
options {
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        key-directory   "/usr/local/etc/namedb/keys";

        listen-on       { 192.168.150.26; };

        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

        forwarders {
               127.0.0.1;
                9.9.9.9;
        };

  dnssec-enable yes;
  dnssec-validation auto;
  dnssec-lookaside auto;

};

 key "rndc-key" {
        algorithm hmac-md5;
        secret "*somesecret*";
 };

 controls {
        inet * port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };

// Comment out the three lines below if you don't want DNSSEC.
  dnssec-enable yes;
  dnssec-validation auto;
  dnssec-lookaside auto;

};

# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
        algorithm hmac-md5;
        secret "*somethingsecret*";
 };

 controls {
        inet * port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf


zone "ollip-it.de" {
        type master;
        file "/usr/local/etc/namedb/master/ollip-it.de";
};

zone "150.168.192.in-addr.arpa" {
        type master;
        file "/usr/local/etc/namedb/master/150.db";
};
and now the master-file

Code:
; $FreeBSD: branches/2018Q1/dns/bind911/files/localhost-forward.db 340872 2014-01-24 00:14:07Z mat $

$TTL 3h

$ORIGIN ollip-it.de.

@ IN SOA freebsd.ollip-it.de. root.ollip-it.de. ( 42 1d 12h 1w 3h )
        ; Serial, Refresh, Retry, Expire, Neg. cache TTL

         IN NS  ollip-it.de.
         IN A   192.168.150.51
www      IN CNAME       ollip-it.de.
mail     IN MX 10       ollip-it.de.
mail.ollip-it.de. 86400 IN A 192.168.150.51
imap.ollip-it.de. 86400 IN CNAME     mail.ollip-it.de.
smtp.ollip-it.de. 86400 IN CNAME     mail.ollip-it.de.
ollip-it.de. 86400 IN MX 0 mail.ollip-it.de.

ollip-it.de. 3600 IN TXT v=spfl a:mail.ollip-it.de ?all

_dmarc.ollip-it.de. 3600 IN TXT v=DMARC1; p=reject;

$INCLUDE        /usr/local/etc/namedb/keys/Kollip-it.de.+005+54799.key
$INCLUDE        /usr/local/etc/namedb/keys/Kollip-it.de.+005+57096.key

pc000001 IN A   192.168.150.1
pc000002 IN A   192.168.150.2
pc000003 IN A   192.168.150.3
pc000004 IN A   192.168.150.4

And now the Problem...
Code:
root@freeBSD:/usr/local/etc/namedb # dnssec-signzone -o ollip-it.de -k keys/Kollip-it.de.+005+57096.key master/ollip-it.de keys/Kollip-it.de.+005+54799.key
dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)
Is it possible, that there is no connection from my dns-server to the public dns-server and this is the problem?
I can ping my forwarders 9.9.9.9 without problems.

I've worked with the instructions of https://stoneyforest.net/~chris/blog/freebsd/dns/dnssec-zone.html

I hope you can help me.

Thanks a lot.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,334
Messages: 27,504

#2
It may or may not be related to your issue but I noticed you defined rndc-key twice in named.conf.
 
OP
OP
O

OlliP

New Member

Thanks: 1
Messages: 14

#3
Hi SirDice,

That was a copy error while I gather the information...

This was not really in the config-file.

So it must be another error that forces this problem.
 
Top