DNSSEC with 9.7.2-P2
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Wed Dec 1 20:02:28 UTC 2010
Zitat von David Forrest <drf at maplepark.com>:
> On Tue, 16 Nov 2010, Mark Andrews wrote:
> <snipped>
>>>
>>> Isn't sufficient to configure the root trust anchor inside
>>> "managed-keys {};"
>>> statement? If I understand correctly the key should be automatically
>>> updated, shouldn't it?
>>
>> For 9.7 yes.
>>
>
> I just updated to 9.7.2-P3 and got this message on start:
> Dec 1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
> Dec 1 10:52:01 maplepark named[20356]: built with defaults
> Dec 1 10:52:01 maplepark named[20356]: using up to 4096 sockets
> Dec 1 10:52:01 maplepark named[20356]: loading configuration from
> '/etc/named.conf'
> Dec 1 10:52:01 maplepark named[20356]: reading built-in trusted
> keys from file '/etc/bind.keys'
>
> I had removed that file for -P2 but the sudo make install of -P3 re-wrote it:
> [drf at maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript
> /usr/bin/install -c -m 644 ./bind.keys /etc
> so it is back.
>
>
> I do have a managed-keys statement in my named.conf:
> managed-keys {
> "." initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> };
>
> and it seems to run OK so far.
>
> My question is whether the built-in trusted keys (/etc/bind.keys) is
> necessary or not in 9.7.2-P3. I am assuming it is as the make step
> set it up.
It is a DLV needed as a trust ancor until DNSSEC is chained from the
DNS root downwards. See http://www.isc.org/solutions/dlv for details.
Regards
Andreas
More information about the bind-users
mailing list