[update, solved] It was apparmor, which was lying about being inactive. Ubuntu's default profile denies bind write access to its config directory. Needed to add /etc/bind/dnskeys/** rw
, reload apparmor, and it's all good.
Trying to switch my internal domain from auto-dnssec maintain
to dnssec-policy default.
Zone is signed but not secure and logs are full of
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
key-directory is /etc/bind/dnskeys, owned bind:bind, and named runs as bind
I've set every directory I could think of to 777: /etc/bind, /etc/bind/dnskeys, /var/lib/bind, /var/cache/bind, /var/log/bind. I disabled apparmor, in case it was blocking.
A signed zone file appears, but I can't dig any DNSKEYs or RRSIGs. named-checkzone says there's nsec records in the signed file, so something is happening, but I'm guessing it all stops when keymgr fails to write the key.
I tried manually generating a key and sticking it in dnskeys, but this doesn't appear to be used.
As an old fart, I actively dislike photorealistic graphics in most cases. I'm playing a game, and I kind of want it to look like a game, which generally means more surrealistic - exaggerated contrast, high saturation, low texture - than realistic. I'd rather play where the characters look like caricatures than my next door neighbor. And that doesn't even go into great games with sprite-like graphics.
Enough is enough. You've saturated the art budget, it's time to pay writers more.