Re: Question about managed-keys-zone
Am 08.04.16 um 16:11 schrieb Bhangui, Sandeep - BLS CTR:
> Thanks Jeremy
>
>
> Logging section from named.conf
>
> logging {
> channel "named-log" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.log"
> versions 3 size 30m;
That is wrong, if your named runs in a chroot jail (guessing from
"named-jail9.10.3P4" you run it in a jail).
Assuming your named jail is "/usr/local/named-jail9.10.3P4", you must
name the file relative to the jail, i.e. "/var/adm/named.log".
Note the leading "/" in the file name. When running chroot jailed,
named set the root "/" of its view of the file system early in startup,
so all paths need to be specified starting from the new root.
> severity info;
> print-time yes; print-category yes; print-severity yes;
> };
>
> channel "named-lame" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.lame"
> versions 3 size 30m;
> severity info;
> print-time yes; print-category yes; print-severity yes;
> };
>
> channel "named-querylog" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.querylog"
> versions 3 size 30m;
> severity dynamic;
> print-time yes; print-category yes; print-severity yes;
> };
>
> category "general" { "named-log"; };
> category "security" { "named-log"; };
> category "xfer-in" { "named-log"; };
> category "xfer-out" { "named-log"; };
> category "client" { "named-log"; };
> category "update" { "named-log"; };
> category "lame-servers" { "named-lame"; };
> category "queries" { "named-querylog"; };
> category edns-disabled { null; };
> /* category "delegation-only" { "named-querylog"; }; */
> };
>
>
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists and the
> files are thereowned by named:named.
>
> I know it using rndc is a good practice but is there an option to specify in
> named.conf to disable it?
>
> -Original Message-
> From: Jeremy C. Reed [mailto:jr...@isc.org]
> Sent: Friday, April 08, 2016 9:37 AM
> To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
> Cc: Bind Users Mailing List <bind-users@lists.isc.org>
> Subject: Re: Question about managed-keys-zone
>
> On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
>
>
>> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2
>
> Unrelated to your problem, but the --enable-newstats configure switch is not
> used for BIND 9.10.
>
>> 1. Cannot seem to start named and it seems that it is looking for some
>> keys to validation locally.
>
> (I reordered your email some:)
>
>> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open
>> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not
>> found Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging:
>> file not found Apr 7 15:15:32 cfdnsquar01 named[37952]: loading
>> configuration: file not found Apr 7 15:15:32 cfdnsquar01
>> named[37952]: exiting (due to fatal error)
>
> Your named cannot start due to logging configuration. You didn't share your
> configuration elated to it, but does the directory
> /usr/local/named-jail9.10.3P4/var/adm/ exist?
>
>
>> I believe managed-key-zone validation is by default enabled in
>> Bind..is there an option that I can use in named.conf file to
>> disable that so that it does not look for the key..I guess this is
>> just a self-validation on the master itself and has nothing to do with
>> DNSSEC signing as it seems I am not even able to get the named up...
>
> Yes, it is unrelated.
>
>> I guess question is do I have an option that I can specify such that
>> it will not look for self-validation keys at all so that I do not have
>> to deal with rndc.key and rndc.conf or is this something I cannot get
>> by with when I use "views" ? Or am I not understanding this properly?
>
> The rndc keys (used for connecting to the control interface) are unrelated to
> the keys used with DNSSEC. But for operations it is a good idea. See the ARM
> and/or rndc-confgen manpage about generating the rndc configuration.
>
> Let's get your named startup working first before we work on your
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> Thanks Jeremy
>
>
> Logging section from named.conf
>
> logging {
> channel "named-log" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.log"
> versions 3 size 30m;
...
> category "general" { "named-log"; };
...
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists
> and the files are thereowned by named:named.
The error:
isc_stdio_open '/usr/local/named-jail9.10.3P4/var/adm/named.log'
failed: file not found
happens when the directory doesn't exist as one example.
What switches are using to start named?
(The top of the logging output was excluded in previous email which
should show the "starting BIND 9.10.3-P4" and "built with" lines.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> I know it using rndc is a good practice but is there an option to
> specify in named.conf to disable it?
It is disabled by default because there is no complete command channel
configuration in the first place, but this will make it so it doesn't
even try to enable it:
controls { };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
Thanks Jeremy
Logging section from named.conf
logging {
channel "named-log" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.log" versions
3 size 30m;
severity info;
print-time yes; print-category yes; print-severity yes;
};
channel "named-lame" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.lame"
versions 3 size 30m;
severity info;
print-time yes; print-category yes; print-severity yes;
};
channel "named-querylog" {
file "/usr/local/named-jail9.10.3P4/var/adm/named.querylog"
versions 3 size 30m;
severity dynamic;
print-time yes; print-category yes; print-severity yes;
};
category "general" { "named-log"; };
category "security" { "named-log"; };
category "xfer-in" { "named-log"; };
category "xfer-out" { "named-log"; };
category "client" { "named-log"; };
category "update" { "named-log"; };
category "lame-servers" { "named-lame"; };
category "queries" { "named-querylog"; };
category edns-disabled { null; };
/* category "delegation-only" { "named-querylog"; }; */
};
And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists and the
files are thereowned by named:named.
I know it using rndc is a good practice but is there an option to specify in
named.conf to disable it?
-Original Message-
From: Jeremy C. Reed [mailto:jr...@isc.org]
Sent: Friday, April 08, 2016 9:37 AM
To: Bhangui, Sandeep - BLS CTR <bhangui.sand...@bls.gov>
Cc: Bind Users Mailing List <bind-users@lists.isc.org>
Subject: Re: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2
Unrelated to your problem, but the --enable-newstats configure switch is not
used for BIND 9.10.
> 1. Cannot seem to start named and it seems that it is looking for some
> keys to validation locally.
(I reordered your email some:)
> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open
> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not
> found Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging:
> file not found Apr 7 15:15:32 cfdnsquar01 named[37952]: loading
> configuration: file not found Apr 7 15:15:32 cfdnsquar01
> named[37952]: exiting (due to fatal error)
Your named cannot start due to logging configuration. You didn't share your
configuration elated to it, but does the directory
/usr/local/named-jail9.10.3P4/var/adm/ exist?
> I believe managed-key-zone validation is by default enabled in
> Bind..is there an option that I can use in named.conf file to
> disable that so that it does not look for the key..I guess this is
> just a self-validation on the master itself and has nothing to do with
> DNSSEC signing as it seems I am not even able to get the named up...
Yes, it is unrelated.
> I guess question is do I have an option that I can specify such that
> it will not look for self-validation keys at all so that I do not have
> to deal with rndc.key and rndc.conf or is this something I cannot get
> by with when I use "views" ? Or am I not understanding this properly?
The rndc keys (used for connecting to the control interface) are unrelated to
the keys used with DNSSEC. But for operations it is a good idea. See the ARM
and/or rndc-confgen manpage about generating the rndc configuration.
Let's get your named startup working first before we work on your goal.
(If I understand correctly, you want named to serve internally unsigned zones,
an external appliance will sign the zones, and then named can then serve the
signed zones publicly.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote: > '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 Unrelated to your problem, but the --enable-newstats configure switch is not used for BIND 9.10. > 1. Cannot seem to start named and it seems that it is looking for some > keys to validation locally. (I reordered your email some:) > Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open > '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: loading configuration: file > not found > Apr 7 15:15:32 cfdnsquar01 named[37952]: exiting (due to fatal error) Your named cannot start due to logging configuration. You didn't share your configuration elated to it, but does the directory /usr/local/named-jail9.10.3P4/var/adm/ exist? > I believe managed-key-zone validation is by default enabled in > Bind..is there an option that I can use in named.conf file to > disable that so that it does not look for the key..I guess this is > just a self-validation on the master itself and has nothing to do with > DNSSEC signing as it seems I am not even able to get the named up... Yes, it is unrelated. > I guess question is do I have an option that I can specify such that > it will not look for self-validation keys at all so that I do not have > to deal with rndc.key and rndc.conf or is this something I cannot get > by with when I use "views" ? Or am I not understanding this properly? The rndc keys (used for connecting to the control interface) are unrelated to the keys used with DNSSEC. But for operations it is a good idea. See the ARM and/or rndc-confgen manpage about generating the rndc configuration. Let's get your named startup working first before we work on your goal. (If I understand correctly, you want named to serve internally unsigned zones, an external appliance will sign the zones, and then named can then serve the signed zones publicly.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about managed-keys-zone
Hi
I am trying to do a simple proof of concept test for DNSSEC signing for our
organization.
We are an agency under DOL and the plan is to use a DNSSECsigner appliance
hosted at DOL to sign the zones so that we do not have to do DNSSEC key
management.
So basically the configuration is from our DNS server we send unsigned zones to
the DNSSECSIGNER appliance physically hosted at a different location it does
the DNSSEC signing and sends the signed zones back to our master and we than
present the DNSSEC signed zones for our zone to the world. All DNSSEC key
management will be done by the DNSSECSIGNER appliance. Meaning DNSSEC key
management is not done by our agency.
Running 9.10.3P4 on Red Hat Linux 6.x
Was compiled using the following options.
Apr 7 15:15:32 cfdnsquar01 named[37952]: built with
'--prefix=/usr/local/named-jail9.10.3P4'
'--sysconfdir=/usr/local/named-jail9.10.3P4/etc'
'--mandir=/usr/local/named-jail9.10.3P4/usr/man'
'--bindir=/usr/local/named-jail9.10.3P4/usr/bin'
'--sbindir=/usr/local/named-jail9.10.3P4/usr/sbin'
'--libexecdir=/usr/local/named-jail9.10.3P4/usr/libexec'
'--sharedstatedir=/usr/local/named-jail9.10.3P4/usr/shared'
'--localstatedir=/usr/local/named-jail9.10.3P4/var'
'--libdir=/usr/local/named-jail9.10.3P4/usr/lib'
'--includedir=/usr/local/named-jail9.10.3P4/usr/include'
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl'
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset'
'--enable-rrl' '--enable-largefile' '--enable-newstats' '--with-libxml2'
'--enable-fullreport' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Relevant parts of Named.conf is as follows.
options {
version "None";
recursive-clients 2000;
listen-on-v6 { any; };
auth-nxdomain no;
directory "/usr/named";
check-names master ignore;
check-names slave ignore;
check-names response ignore;
allow-transfer { 10.183.168.21; 10.183.168.22; 198.6.1.115;
198.6.1.154;};
allow-query { bls;};
allow-recursion { bls;};
allow-query-cache { bls;};
empty-zones-enable no;
masterfile-format text;
interface-interval 0;
};
controls {
inet 127.0.0.1 allow { localhost; };
};
view "unsigned" {
zone "149.10.in-addr.arpa" {
type master;
file "/usr/named/test.rev";
};
match-clients { 10.1.1.1; };
--> DNSSEC appliance hosted at other place.
zone "joe.com" {
type master;
file "/usr/named/testunsigned.hosts";
also-notify { 10.1.1.1; }; ->
DNSSEC appliance hosted at other place.
};
};
view "signed" {
match-clients { any; };
zone "149.10.in-addr.arpa" {
type master;
file "/usr/named/test.rev";
allow-query { any;};
};
zone "joe.com" {
type slave;
file "/usr/named/test.hosts";
masters { 10.1.1.2; };
-> DNSSEC appliance at hosted at other place.
allow-query { any; };
};
};
Problem,
1. Cannot seem to start named and it seems that it is looking for some keys to
validation locally.
I believe managed-key-zone validation is by default enabled in Bind..is
there an option that I can use in named.conf file to disable that so that it
does not look for the key..I guess this is just a self-validation on the
master itself and has nothing to do with DNSSEC signing as it seems I am not
even able to get the named up...
I guess question is do I have an option that I can specify such that it will
not look for self-validation keys at all so that I do not have to deal with
rndc.key and rndc.conf or is this something I cannot get by with when I use
"views" ? Or am I not understanding this properly?
If there is no option to disable the key check can I just put the secret key
generated ( looks like the log below has some keys ) in rdnc.key file for
self-validation will that work?
Any advice suggestions??
Apr 7 15:15:32 cfdnsquar01 named[37952]: BIND 9 is maintained by Internet
Systems Consortium,
Apr 7 15:15:32 cfdnsquar01 named[37952]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Apr 7 15:15:32 cfdnsquar01 named[37952]: corporation. Support and training
for BIND 9 are
Apr 7 15:15:32 cfdnsquar01 named[37952]: available at
https://www.isc.org/support
Apr 7 15:15:32 cfdnsquar01 named[37952]:
Apr 7 15:15:32 cfdnsquar01 named[37952]: adjusted limit on open files from
4096 to 1048576
Apr 7 15:15:32 cfdnsquar01 named[37952]: found 32 CPUs, using 32 worker threads
Apr 7 15:15:32 cfdnsquar01
