Hi list!

I'm trying to understand why my DNS zone refuses to get updated/signed. After an "rndc reload" I get this in the named-pkcs11 logs: <....> failed to parse RR entry: resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com' <....> update_record (syncrepl) failed, resource record DN 'idnsname=mail._domainkey,idnsname=example.com.,cn=dns,dc=example,dc=com' change type 0x1. Records can be outdated, run `rndc reload`: syntax error <....> zone example.com/IN (signed): could not get zone keys for secure dynamic update zone example/IN (signed): receive_secure_serial: unchanged <....>

Naturally, i checked the DNSSEC Troubleshoot guide [1]: - Zone is set to have in-line signing - It appears on the zone list command to ods-ksmutil - The KSK and ZSK keys are both active and have not expired - The [...]/localhsm.py script result looks ok according to the expected results.

The question now is. How can I fix this? Also, if the only fix is to disable and re-enable DNSSEC, does that have any implications?

Thanks in advance! Carlos Mogas da Silva

[1] http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work