7 Dub
2016
7 Dub
'16
15:03
Hi,
I see, there are several things:
- the kasp-db: should point to /var/lib/knot/kasp/, e.g. change your template to:
template:
- id: default
storage: /var/lib/knot/
dnssec-signing: off
kasp-db: /var/lib/knot/kasp/
# you can still use relative path to storage
# just remove all the 'dnssec-signing: off' from individual domains
#
# you can also move all your master, acl, notify, semantic-checks, ixfr-from-differences
to the template and remove them from individual domains
Then you must add the zone the the default policy and convert the old BIND keys to the
format Knot DNS understands with `keymgr zone key import <zone-name>
<key-file>`, see:
https://www.knot-dns.cz/docs/2.x/html/man_keymgr.html
and more examples here (See the point 4. which is exactly your case):
https://www.knot-dns.cz/docs/2.x/html/man_keymgr.html#examples
Cheers,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
----- Original Message -----
From: "Josef Karliak"
<karliak(a)ajetaci.cz>
To: knot-dns-users(a)lists.nic.cz
Sent: Thursday, April 7, 2016 9:49:10 AM
Subject: Re: [knot-dns-users] knot 2 do not load zone after migrated from 1.6
Hi,
I installed knot2 to my computer and imported knot1 configuration and
migrated it to 2. Also I've copied zone files from our real server.
The problem is the same, so I think I missed some step. :-/
I send you an attachment to your email, there is a configuration and
knot's run dir.
Thanks and best regards
J.K.
Could you send us your full configuration and
keys directory, just make
sure you don't send any sensitive material, f.e. empty the .pem files (but
include a list of them).
O.
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
----- Original Message -----
--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s
dorucenim emailu, zacnete pouzivat metody overeni puvody emailu
zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and implementation of the DMARC. If you've problem with sending
emails to me, start using email origin methods mentioned above. Thank
you.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users From: "Josef Karliak"
<karliak(a)ajetaci.cz>
To: knot-dns-users(a)lists.nic.cz
Sent: Thursday, April 7, 2016 8:26:33 AM
Subject: Re: [knot-dns-users] knot 2 do not load zone after migrated
from 1.6
Yes,
the directory is the same from knot 1.6., it worked all fine, keys are
in the same place... And knot is an owner, it is a one of first that I
checked :-/
Best regards
J.K.
Do you have correct permissions on both
/var/lib/knot and
/var/lib/knot/domain.cz.keys? That's the most common source of
troubles.
Cheers,
Ondrej
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
----- Original Message -----
> From: "Josef Karliak" <karliak(a)ajetaci.cz>
> To: knot-dns-users(a)lists.nic.cz
> Sent: Thursday, April 7, 2016 5:29:39 AM
> Subject: Re: [knot-dns-users] knot 2 do not load zone after migrated
> from 1.6
> Hi,
> thanks for the answer, but still no luck:
>
> Apr 7 10:19:29 celer sudo: root : TTY=pts/1 ;
> PWD=/var/lib/knot/domain.cz.keys ; USER=knot ;
> COMMAND=/usr/sbin/keymgr
> init
> Apr 7 10:19:43 celer knotd[29767]: info: reloading configuration file
> '/etc/knot/knot.conf'
> Apr 7 10:19:44 celer knotd[29767]: info: configuration reloaded
> Apr 7 10:19:44 celer knotd[29767]: info: [domain.cz] zone loader,
> semantic check, completed
> Apr 7 10:19:44 celer knotd[29767]: error: [domain.cz] DNSSEC, failed
> to
> initialize (not found)
> Apr 7 10:19:44 celer knotd[29767]: error: [domain.cz] failed to store
> changes into journal (not found)
> Apr 7 10:19:44 celer knotd[29767]: error: [domain.cz] zone event
> 'load'
> failed (not found)
>
> I entered to keys directory and ran the command with sudo (I've
> running
> knot with user "knot"):
> sudo -u knot keymgr init
>
>
> In "/var/lib/knot/domain.cz.keys" were created some .json files and
> "keys" directory. I copied my dnssec keys to new created "keys"
> directory, problem persist :-/
> Still some missed.
> Thanks and best regards
> J.K.
>
>
>
>> Hi Josef,
>>
>> please, try to run 'keymgr init' in your kasp-db directory (with the
>> right
>> permissions).
>>
>> Daniel
>>
>> On 04/07/2016 09:02 AM, Josef Karliak wrote:
>>> Good morning,
>>> I've migrated to knot2, configuration file was migrated by
>>> knot1to2
>>> tool. Knot 2 loads, but to not load my DNSSEC signed zone (NSEC, not
>>> NSEC3). Knot2 is installed from suse dns server repo, version
>>> "knot2-2.1.1-1.1.x86_64".
>>> Error message:
>>> Apr 7 08:57:39 celer knotd[21676]: info: reloading configuration
>>> file
>>> '/etc/knot/knot.conf'
>>> Apr 7 08:57:39 celer knotd[21676]: info: configuration reloaded
>>> Apr 7 08:57:39 celer knotd[21676]: info: [domain.cz] zone loader,
>>> semantic check, completed
>>> Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] DNSSEC,
>>> failed
>>> to
>>> initialize (not found)
>>> Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] failed to
>>> store
>>> changes into journal (not found)
>>> Apr 7 08:57:39 celer knotd[21676]: error: [domain.cz] zone event
>>> 'load'
>>> failed (not found)
>>>
>>>
>>> Part of the configuration file:
>>> ...
>>> ...
>>> template:
>>> - id: "default"
>>> storage: "/var/lib/knot"
>>>
>>> zone:
>>> - domain: "domain.cz."
>>> file: "domain.cz"
>>> notify: "slave"
>>> acl: "acl_slave"
>>> semantic-checks: "on"
>>> ixfr-from-differences: "on"
>>> max-journal-size: "1073741824"
>>> dnssec-signing: "on"
>>> kasp-db: "/var/lib/knot/domain.cz.keys"
>>>
>>> ...
>>> ...
>>>
>>> Directory "/var/lib/knot/domain.cz.keys" contains zone private
>>> and
>>> public keys.
>>>
>>> What did I missed ?
>>> Thanks and best regards
>>> J.Karliak
>>>
>>>
>>
>>
>
>
> --
> Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
> DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s
> dorucenim emailu, zacnete pouzivat metody overeni puvody emailu
> zminene vyse. Dekuji.
> My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
> policy and implementation of the DMARC. If you've problem with sending
> emails to me, start using email origin methods mentioned above. Thank
> you.
>
> _______________________________________________
> knot-dns-users mailing list
> knot-dns-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a
DomainKeys/DKIM (s ADSP) a implementaci DMARC. Pokud mate problemy s
dorucenim emailu, zacnete pouzivat metody overeni puvody emailu
zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and implementation of the DMARC. If you've problem with sending
emails to me, start using email origin methods mentioned above. Thank
you.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users