In message <4d0f00dd.9060...@data.pl>, Torinthiel writes:
> On 12/20/10 01:32, Mark Andrews wrote:
> > In message <4d0e8340.9060...@data.pl>, Torinthiel writes:
> >
> >> Hello everyone,
> >>
> >> I've recently updated bind to version 9.7.2_p3.
> >>
> > Upgraded from what?
> >
>
> >From 9.4.3_p5
>
> >
> >
> >> I've been using DLV before that, specifically dlv.isc.org, with two
> >> entries in named.conf
> >>
> >> options {
> >> dnssec-lookaside . trust-anchor dlv.isc.org.;
> >> };
> >> trusted-keys{
> >> [sometext]
> >> };
> >>
> >> and it was working fine.
> >> However, on update I've wanted to try managed-keys. so changed
> >> trusted-keys to managed-keys (and added initial key of course)
> >>
> >> so the relevant part of config file now looks like this:
> >>
> >> managed-keys {
> >> dlv.isc.org. initial-key 257 3 5
> >> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> >> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> >> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> >> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> >> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> >> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> >> };
> >>
> >>
> >> this has caused problem, every query caused error, no answers and these
> >> log entries:
> >>
> >> Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
> >> DNSKEY: must be secure failure, . is under DLV (startfinddlvsep)
> >> Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
> >> 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53
> >>
> > And what other errors were logged by named when it started?
> >
> None. Complete startup log sequence:
> Dec 20 07:49:14 sarlac named[4137]: loading configuration from
> '/etc/bind/named.conf'
> Dec 20 07:49:14 sarlac named[4137]: reading built-in trusted keys from
> file '/etc/bind/bind.keys'
> Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv4 port range:
> [1024, 65535]
> Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv6 port range:
> [1024, 65535]
> Dec 20 07:49:14 sarlac named[4137]: set up managed keys zone for view
> _default, file 'managed-keys.bind'
> Dec 20 07:49:14 sarlac named[4137]: reloading configuration succeeded
> Dec 20 07:49:15 sarlac named[4137]: managed-keys-zone ./IN: loaded serial 16
> Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: loaded serial
> 2010110801
> Dec 20 07:49:15 sarlac named[4137]: reloading zones succeeded
> Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: sending
> notifies (serial 2010110801)
>
>
>
> >
> >
> >> After some googling and finding
> >> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
> >> and even better
> >> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
> >>
> >> I've changed to dnssec-lookaside auto. Lo and behold, everything works
> >> fine.
> >>
> > And the contents of /etc/bind.key are? Also the contents in the
> > chroot area if you are using chroot.
> >
> Changed /etc/bind.keys to /etc/bind/bind.keys, via config (and it reeds
> it, you can see in logs). Contents were given in first post, only I
> haven't mentioned it was in /etc/bind/bind.keys.
> The managed-keys statement is the sole statement in /etc/bind/bind.keys
> and is not present in main config file.
> Ok, this was the problem. Having included the file as well as specified
> it at bindkeys-file seems to have solved the problem. Ok, now the
> documentation seems a bit unclear about it. It never states that the
> file is included nor that it's not. But having information that it loads
> the given file (in dnssec-lookaside description) and information that
> file is loaded in logs has given me a false sense of security in this
> case. Is this double-include (sort of) configuration what I was supposed
> to do? Will it work correctly after a key rollover?
Including a trusted/managed-key multiple times won't hurt. It should work
correctly after key rollover.
> Also, another question arises: can one include more than one
> bindkeys-file and/or dnssec-lookaside in config? The documentation hints
> that at least the latter is possigble, but does not state so. And having
> multiple bindkeys-file is useful if you have locally-configured keys,
> for which using the main file is not recommended.
Only one dnssec-lookaside clause is supported.
Multiple trusted-keys/managed keys clauses are supported.
> Skipping rest of answers, as problem is (mostly) solved.
> Regards,
> Torinthiel
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
