Solved Problems with dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)

Hi,

I'm using FreeBSD V11 and Bind911. But this doesn't work for correct.

Actually my problem is to configure named(8) with DNSSEC.


Code:
Feb 27 18:34:01 freeBSD named[3084]: starting BIND 9.11.2-P1 <id:2c2bc60>
Feb 27 18:34:01 freeBSD named[3084]: running on FreeBSD amd64 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     [email]root@releng2.nyi.freebsd.org[/email]:/usr/obj/usr/src/sys/GENERIC
Feb 27 18:34:01 freeBSD named[3084]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--with-lmdb' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-threads' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/lo
Feb 27 18:34:01 freeBSD named[3084]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Feb 27 18:34:01 freeBSD named[3084]: ----------------------------------------------------
Feb 27 18:34:01 freeBSD named[3084]: BIND 9 is maintained by Internet Systems Consortium,
Feb 27 18:34:01 freeBSD named[3084]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Feb 27 18:34:01 freeBSD named[3084]: corporation.  Support and training for BIND 9 are 
Feb 27 18:34:01 freeBSD named[3084]: available at [URL]https://www.isc.org/support[/URL]
Feb 27 18:34:01 freeBSD named[3084]: ----------------------------------------------------
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(21, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(22, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: /usr/local/etc/namedb/named.conf:78: WARNING: the DLV server at 'dlv.isc.org' is expected to cease operation by the end of January 2017
Feb 27 18:34:01 freeBSD named[3084]: /usr/local/etc/namedb/named.conf:78: WARNING: the DLV server at 'dlv.isc.org' is expected to cease operation by the end of January 2017
Feb 27 18:34:01 freeBSD named[3084]: socket.c:5695: unexpected error:
Feb 27 18:34:01 freeBSD named[3084]: setsockopt(23, TCP_FASTOPEN) failed with Protocol not available
Feb 27 18:34:01 freeBSD named[3084]: command channel listening on 0.0.0.0#953
Feb 27 18:34:01 freeBSD named[3084]: all zones loaded
Feb 27 18:34:01 freeBSD named[3084]: running
root@freeBSD:/usr/local/etc/namedb # dnssec-signzone -o ollip-it.de -k keys/Kollip-it.de.+005+57096.key master/ollip-it.de keys/Kollip-it.de.+005+54799.key
dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)

root@freeBSD:/usr/local/etc/namedb #

Here is my named.conf
Code:
options {
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        key-directory   "/usr/local/etc/namedb/keys";

        listen-on       { 192.168.150.26; };

        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

        forwarders {
               127.0.0.1;
                9.9.9.9;
        };

  dnssec-enable yes;
  dnssec-validation auto;
  dnssec-lookaside auto;

};

 key "rndc-key" {
        algorithm hmac-md5;
        secret "*somesecret*";
 };

 controls {
        inet * port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };

// Comment out the three lines below if you don't want DNSSEC.
  dnssec-enable yes;
  dnssec-validation auto;
  dnssec-lookaside auto;

};

# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
        algorithm hmac-md5;
        secret "*somethingsecret*";
 };

 controls {
        inet * port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf


zone "ollip-it.de" {
        type master;
        file "/usr/local/etc/namedb/master/ollip-it.de";
};

zone "150.168.192.in-addr.arpa" {
        type master;
        file "/usr/local/etc/namedb/master/150.db";
};

and now the master-file

Code:
; $FreeBSD: branches/2018Q1/dns/bind911/files/localhost-forward.db 340872 2014-01-24 00:14:07Z mat $

$TTL 3h

$ORIGIN ollip-it.de.

@ IN SOA freebsd.ollip-it.de. root.ollip-it.de. ( 42 1d 12h 1w 3h )
        ; Serial, Refresh, Retry, Expire, Neg. cache TTL

         IN NS  ollip-it.de.
         IN A   192.168.150.51
www      IN CNAME       ollip-it.de.
mail     IN MX 10       ollip-it.de.
mail.ollip-it.de. 86400 IN A 192.168.150.51
imap.ollip-it.de. 86400 IN CNAME     mail.ollip-it.de.
smtp.ollip-it.de. 86400 IN CNAME     mail.ollip-it.de.
ollip-it.de. 86400 IN MX 0 mail.ollip-it.de.

ollip-it.de. 3600 IN TXT v=spfl a:mail.ollip-it.de ?all

_dmarc.ollip-it.de. 3600 IN TXT v=DMARC1; p=reject;

$INCLUDE        /usr/local/etc/namedb/keys/Kollip-it.de.+005+54799.key
$INCLUDE        /usr/local/etc/namedb/keys/Kollip-it.de.+005+57096.key

pc000001 IN A   192.168.150.1
pc000002 IN A   192.168.150.2
pc000003 IN A   192.168.150.3
pc000004 IN A   192.168.150.4


And now the Problem...
Code:
root@freeBSD:/usr/local/etc/namedb # dnssec-signzone -o ollip-it.de -k keys/Kollip-it.de.+005+57096.key master/ollip-it.de keys/Kollip-it.de.+005+54799.key
dnssec-signzone: fatal: SOA is not signed (keys offline or inactive?)

Is it possible, that there is no connection from my dns-server to the public dns-server and this is the problem?
I can ping my forwarders 9.9.9.9 without problems.

I've worked with the instructions of https://stoneyforest.net/~chris/blog/freebsd/dns/dnssec-zone.html

I hope you can help me.

Thanks a lot.
 
It may or may not be related to your issue but I noticed you defined rndc-key twice in named.conf.
 
Hi SirDice,

That was a copy error while I gather the information...

This was not really in the config-file.

So it must be another error that forces this problem.
 
Back
Top