Re: Where is managed-keys.bind ?

2010-10-01 Thread Chris Thompson

On Oct 1 2010, Tony Finch wrote:


On Fri, 1 Oct 2010, Magali Bernard wrote:


Oct  1 08:30:19 stroph named[24453]: set up managed keys zone for view 
_default, file 'managed-keys.bind'
Oct  1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from 
master file managed-keys.bind failed: file not found
Oct  1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loaded serial 0

We do not sign (yet) our zones with DNSSEC, is it safe to turn off
dnssec-lookaside, and how ?
dnssec-lookaside no ?


dnssec-lookaside is off by default, and both DLV and the managed keys zone
relate to validation rather than serving signed zones.

The managed keys zone is used for RFC 5011 trust anchor rollover which you
can use with both DLV (via the dnssec-lookaside auto; setting) and the
root trust anchor (which requires a managed-keys clause as below). Bind
creates the managed keys zone if it isn't present, and the warning it logs
when it does this is benign.


Except that it is classified as an error, not a warning. And if you
don't have any managed keys, then it won't create the file, and so will
complain again the next time BIND is restarted.

An empty file managed-keys.bind in BIND's working directory will get it
to shut up.

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Where is managed-keys.bind ?

2010-10-01 Thread Magali Bernard

 On Oct 1 2010, Tony Finch wrote:
 
 On Fri, 1 Oct 2010, Magali Bernard wrote:
 
  Oct  1 08:30:19 stroph named[24453]: set up managed keys zone for view 
  _default, file 'managed-keys.bind'
  Oct  1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from 
  master file managed-keys.bind failed: file not found
  Oct  1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loaded serial   0
 
  We do not sign (yet) our zones with DNSSEC, is it safe to turn off
  dnssec-lookaside, and how ?
  dnssec-lookaside no ?
 
 dnssec-lookaside is off by default, and both DLV and the managed keys zone
 relate to validation rather than serving signed zones.
 
 The managed keys zone is used for RFC 5011 trust anchor rollover which you
 can use with both DLV (via the dnssec-lookaside auto; setting) and the
 root trust anchor (which requires a managed-keys clause as below). Bind
 creates the managed keys zone if it isn't present, and the warning it logs
 when it does this is benign.
 
 Except that it is classified as an error, not a warning. And if you
 don't have any managed keys, then it won't create the file, and so will
 complain again the next time BIND is restarted.
 
 An empty file managed-keys.bind in BIND's working directory will get it
 to shut up.

Thanks a lot ! I did:
touch managed-keys.bind
and now BIND is silently working.


-- 
**
Magali BERNARD - DSI pôle Système, Réseau et Sécurité
Université Jean Monnet de Saint-Étienne - FRANCE
-
A: Yes.
 Q: Are you sure ?
 A: Because it reverses the logical flow of conversation.
 Q: Why is top posting annoying in email ?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users