In message <4d0f00dd.9060...@data.pl>, Torinthiel writes: > On 12/20/10 01:32, Mark Andrews wrote: > > In message <4d0e8340.9060...@data.pl>, Torinthiel writes: > > > >> Hello everyone, > >> > >> I've recently updated bind to version 9.7.2_p3. > >> > > Upgraded from what? > > > > >From 9.4.3_p5 > > > > > > >> I've been using DLV before that, specifically dlv.isc.org, with two > >> entries in named.conf > >> > >> options { > >> dnssec-lookaside . trust-anchor dlv.isc.org.; > >> }; > >> trusted-keys{ > >> [sometext] > >> }; > >> > >> and it was working fine. > >> However, on update I've wanted to try managed-keys. so changed > >> trusted-keys to managed-keys (and added initial key of course) > >> > >> so the relevant part of config file now looks like this: > >> > >> managed-keys { > >> dlv.isc.org. initial-key 257 3 5 > >> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > >> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > >> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > >> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > >> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > >> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; > >> }; > >> > >> > >> this has caused problem, every query caused error, no answers and these > >> log entries: > >> > >> Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org > >> DNSKEY: must be secure failure, . is under DLV (startfinddlvsep) > >> Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving > >> 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53 > >> > > And what other errors were logged by named when it started? > > > None. Complete startup log sequence: > Dec 20 07:49:14 sarlac named[4137]: loading configuration from > '/etc/bind/named.conf' > Dec 20 07:49:14 sarlac named[4137]: reading built-in trusted keys from > file '/etc/bind/bind.keys' > Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv4 port range: > [1024, 65535] > Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv6 port range: > [1024, 65535] > Dec 20 07:49:14 sarlac named[4137]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Dec 20 07:49:14 sarlac named[4137]: reloading configuration succeeded > Dec 20 07:49:15 sarlac named[4137]: managed-keys-zone ./IN: loaded serial 16 > Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: loaded serial > 2010110801 > Dec 20 07:49:15 sarlac named[4137]: reloading zones succeeded > Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: sending > notifies (serial 2010110801) > > > > > > > > >> After some googling and finding > >> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html > >> and even better > >> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html > >> > >> I've changed to dnssec-lookaside auto. Lo and behold, everything works > >> fine. > >> > > And the contents of /etc/bind.key are? Also the contents in the > > chroot area if you are using chroot. > > > Changed /etc/bind.keys to /etc/bind/bind.keys, via config (and it reeds > it, you can see in logs). Contents were given in first post, only I > haven't mentioned it was in /etc/bind/bind.keys. > The managed-keys statement is the sole statement in /etc/bind/bind.keys > and is not present in main config file. > Ok, this was the problem. Having included the file as well as specified > it at bindkeys-file seems to have solved the problem. Ok, now the > documentation seems a bit unclear about it. It never states that the > file is included nor that it's not. But having information that it loads > the given file (in dnssec-lookaside description) and information that > file is loaded in logs has given me a false sense of security in this > case. Is this double-include (sort of) configuration what I was supposed > to do? Will it work correctly after a key rollover?
Including a trusted/managed-key multiple times won't hurt. It should work correctly after key rollover. > Also, another question arises: can one include more than one > bindkeys-file and/or dnssec-lookaside in config? The documentation hints > that at least the latter is possigble, but does not state so. And having > multiple bindkeys-file is useful if you have locally-configured keys, > for which using the main file is not recommended. Only one dnssec-lookaside clause is supported. Multiple trusted-keys/managed keys clauses are supported. > Skipping rest of answers, as problem is (mostly) solved. > Regards, > Torinthiel > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users