Re: dnssec-validation auto vs yes
On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote: > > On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > > The default BIND9 installation for CentOS7 has dnssec-validation set to > > "yes" and it also includes managed-keys as well. Do those managed-keys > > get updated automatically? > > Yes, if the "managed-keys" statement is in named.conf (or included in > it via an "include" statement) then the keys will be updated automatically. ... assuming that named can write to the directory. This is definitely worth double-checking. W > Based on what you copy-pasted, that appears to be the case. > > "dnssec-validation auto" causes named to use its built-in key for the root > zone, so you don't have to put your own "managed-keys" statement into > named.conf, but otherwise it's the same as "dnssec-validation yes". > > (BTW, a note in passing: we're changing the command from "managed-keys" to > "dnssec-keys" over the next few years. The new syntax will be available in > BIND 9.15.1, which should be out next week; the old syntax will be > phased out later.) > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation auto vs yes
Shawn Zhou via bind-users wrote: > Thanks Even. Sounds like "dnssec-validation auto" is a more > future-proof option for what want it. I will use that instead. My recommendation is to avoid configuring or installing root trust anchors, and let named handle all that itself. In BIND 9.14 and later you don't need any configuration for working DNSSEC validation :-) Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty, Forth: Cyclonic 5 to 7, occasionally gale 8 at first in Forth, becoming south or southeast 5 or 6 later. Moderate or rough. Rain, fog patches except in Forth. Moderate, occasionally very poor except in Forth. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation auto vs yes
Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead. On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt wrote: On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 installation for CentOS7 has dnssec-validation set to > "yes" and it also includes managed-keys as well. Do those managed-keys > get updated automatically? Yes, if the "managed-keys" statement is in named.conf (or included in it via an "include" statement) then the keys will be updated automatically. Based on what you copy-pasted, that appears to be the case. "dnssec-validation auto" causes named to use its built-in key for the root zone, so you don't have to put your own "managed-keys" statement into named.conf, but otherwise it's the same as "dnssec-validation yes". (BTW, a note in passing: we're changing the command from "managed-keys" to "dnssec-keys" over the next few years. The new syntax will be available in BIND 9.15.1, which should be out next week; the old syntax will be phased out later.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-validation auto vs yes
On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 installation for CentOS7 has dnssec-validation set to > "yes" and it also includes managed-keys as well. Do those managed-keys > get updated automatically? Yes, if the "managed-keys" statement is in named.conf (or included in it via an "include" statement) then the keys will be updated automatically. Based on what you copy-pasted, that appears to be the case. "dnssec-validation auto" causes named to use its built-in key for the root zone, so you don't have to put your own "managed-keys" statement into named.conf, but otherwise it's the same as "dnssec-validation yes". (BTW, a note in passing: we're changing the command from "managed-keys" to "dnssec-keys" over the next few years. The new syntax will be available in BIND 9.15.1, which should be out next week; the old syntax will be phased out later.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-validation auto vs yes
Hi, The default BIND9 installation for CentOS7 has dnssec-validation set to "yes" and it also includes managed-keys as well. Do those managed-keys get updated automatically? It is not clear from reading https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-validation-explained that these managed-keys will get updated automatically if dnssec-validation is not set to "auto". [root@centos-linux ~]# named -vBIND 9.9.4-RedHat-9.9.4-73.el7_6 (Extended Support Version)[root@centos-linux ~]# grep named.root.key /etc/named.confinclude "/etc/named.root.key";[root@centos-linux ~]# cat /etc/named.root.keymanaged-keys { # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml # for current trust anchor information. # # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from # the root zone. . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; # This key (20326) is to be published in the root zone in 2017. # Servers which were already using the old key should roll to the # new # one seamlessly. Servers being set up for the first time # can use either of the keys in this file to verify the root keys # for the first time; thereafter the keys in the zone will be # trusted and maintained automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users