Re: auto-dnssec maintain and no key: no error message?
> When I run a BIND with "auto-dnssec maintain" and "inline-signing > yes", if I create no key, there is no error message and, worse, the > log file says the zone is signed: Thanks for pointing this out. It's not really an error, but the log should certainly be clearer about what's going on. An inline-signing zone is represented internally as *two* zone objects, one to hold the original unsigned data, and the other the signed. These zones are differentiated in the log file by the labels "(unsigned)" and "(signed)", regardless of whether signing in fact taken place yet. A zone that is to be signed, but can't find a key to sign with, simply waits quietly until a key is provided. Presumably you're planning to create the keys and run "rndc loadkeys" later. We ought to be logging this condition, but it's not an error. If you report this to bind9-b...@isc.org we'll address it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain and no key: no error message?
On Tue, Jul 30, 2013 at 09:50:46AM -0500, Jeremy C. Reed wrote a message of 7 lines which said: > > Of course, there is no signature: > > > > % dig +multi @localhost SOA auto.rd.nic.fr > > Add +dnssec [I thought it was in my .digrc.] It changes nothing. Without a key, BIND could not create signatures. % dig +multi +dnssec @localhost SOA auto.rd.nic.fr ; <<>> DiG 9.9.2-P1 <<>> +multi +dnssec @localhost SOA auto.rd.nic.fr ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13678 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;auto.rd.nic.fr.IN SOA ;; ANSWER SECTION: auto.rd.nic.fr. 86400 IN SOA 10.200.0.73. bortzmeyer.nic.fr. ( 2013073000 ; serial 30480 ; refresh (8 hours 28 minutes) 26400 ; retry (7 hours 20 minutes) 2419200; expire (4 weeks) 86400 ; minimum (1 day) ) ;; AUTHORITY SECTION: auto.rd.nic.fr. 86400 IN NS ns1.bortzmeyer.org. auto.rd.nic.fr. 86400 IN NS ns1.auto.rd.nic.fr. ;; ADDITIONAL SECTION: ns1.auto.rd.nic.fr. 86400 IN A 109.26.74.172 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 30 16:55:24 2013 ;; MSG SIZE rcvd: 167 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain and no key: no error message?
On Tue, 30 Jul 2013, Stephane Bortzmeyer wrote: > Of course, there is no signature: > > % dig +multi @localhost SOA auto.rd.nic.fr Add +dnssec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
auto-dnssec maintain and no key: no error message?
When I run a BIND with "auto-dnssec maintain" and "inline-signing yes", if I create no key, there is no error message and, worse, the log file says the zone is signed: Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (unsigned): loaded serial 2013073000 Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): loaded serial 2013073000 Jul 30 16:31:42 u12-33673 named[1605]: all zones loaded Jul 30 16:31:42 u12-33673 named[1605]: running Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): receive_secure_serial: unchanged Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): reconfiguring zone keys Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): next key event: 30-Jul-2013 17:31:42.009 Jul 30 16:31:42 u12-33673 named[1605]: zone auto.rd.nic.fr/IN (signed): sending notifies (serial 2013073000) Of course, there is no signature: % dig +multi @localhost SOA auto.rd.nic.fr ; <<>> DiG 9.9.2-P1 <<>> +multi @localhost SOA auto.rd.nic.fr ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57439 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;auto.rd.nic.fr.IN SOA ;; ANSWER SECTION: auto.rd.nic.fr. 86400 IN SOA 10.200.0.73. bortzmeyer.nic.fr. ( 2013073000 ; serial 30480 ; refresh (8 hours 28 minutes) 26400 ; retry (7 hours 20 minutes) 2419200; expire (4 weeks) 86400 ; minimum (1 day) ) ;; AUTHORITY SECTION: auto.rd.nic.fr. 86400 IN NS ns1.bortzmeyer.org. auto.rd.nic.fr. 86400 IN NS ns1.auto.rd.nic.fr. ;; ADDITIONAL SECTION: ns1.auto.rd.nic.fr. 86400 IN A 109.26.74.172 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jul 30 16:38:00 2013 ;; MSG SIZE rcvd: 167 IMHO, BIND should clearly log there is something missing. BIND 9.9.2-P1 (the version in the last Ubuntu server) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users