On Fri, 1 Oct 2010, Magali Bernard wrote:
>
> Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view
> _default, file 'managed-keys.bind'
> Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from
> master file managed-keys.bind failed: file not found
> Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loaded serial 0
>
> We do not sign (yet) our zones with DNSSEC, is it safe to turn off
> dnssec-lookaside, and how ?
> dnssec-lookaside no ?
dnssec-lookaside is off by default, and both DLV and the managed keys zone
relate to validation rather than serving signed zones.
The managed keys zone is used for RFC 5011 trust anchor rollover which you
can use with both DLV (via the "dnssec-lookaside auto;" setting) and the
root trust anchor (which requires a managed-keys clause as below). Bind
creates the managed keys zone if it isn't present, and the warning it logs
when it does this is benign.
DNSSEC validation on a resolver is fairly straightforward to set up now,
though people are still discovering the new mistakes they can make when
signing their zones so you may notice when your validating resolver
points this out...
managed-keys {
"." initial-key 257 3 8 "
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=
";
};
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
