DNS rewrite errors in errortaskq.log

[Nickske00]

Hi,

So I have multiserver setup and today I issued a dns rewrite command because the zone serial was out of sync (my fault, forgot to check the ssl checkbox on one server) but when looking at the datatask log I noticed some errors on signed dnssec zones. Why is an external server trying to rewrite them?

2021:11:16-13:14:06: Unable to save zone domain.com: named-checkzone returned:
loading "domain.com" from "/etc/bind/domain.com.db.temp.17697.8WSbRzgAOx" class "IN"
zone domain.com/IN: has no NS records
zone domain.com/IN: not loaded due to errors.

Can't an external server just skip these because they are signed? Another solution would be to also transfer the keys to external servers when using multiserver...

 

[Richard G]

First of all. On multiserver setup, the keys will also be transferred, so that should be no issue.

I don't know why you are having this issue. But just to be sure... do you have enabled DNSSEC on the other server too?

 

[Nickske00]

If keys are transferred, why can't you edit a signed zone on another server? Looks like it has all it needs if the keys are present...

EDIT
As far as I can see only your signed zonefile is transferred to the other servers with multiserver. Only the server where the zone is signed has an unsigned zonefile and keyfiles. Only file transferred is the domain.com.db.signed file and on the other server this is just renamed to domain.com.db.

Original server files	Files on other server (transferred by multiserver)
domain.com.db
domain.com.db.signed	=> domain.com.db
domain.com.ksk.key
domain.com.ksk.private
domain.com.zsk.key
domain.com.zsk.private