DNSSEC with 9.7.2-P2
David Forrest
drf at maplepark.com
Wed Dec 1 21:55:35 UTC 2010
On Wed, 1 Dec 2010, lst_hoe02 at kwsoft.de wrote:
> Zitat von David Forrest <drf at maplepark.com>:
>
>> On Tue, 16 Nov 2010, Mark Andrews wrote:
>> <snipped>
>>>>
>>>> Isn't sufficient to configure the root trust anchor inside "managed-keys
>>>> {};"
>>>> statement? If I understand correctly the key should be automatically
>>>> updated, shouldn't it?
>>>
>>> For 9.7 yes.
>>>
>>
>> I just updated to 9.7.2-P3 and got this message on start:
>> Dec 1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
>> Dec 1 10:52:01 maplepark named[20356]: built with defaults
>> Dec 1 10:52:01 maplepark named[20356]: using up to 4096 sockets
>> Dec 1 10:52:01 maplepark named[20356]: loading configuration from
>> '/etc/named.conf'
>> Dec 1 10:52:01 maplepark named[20356]: reading built-in trusted keys from
>> file '/etc/bind.keys'
>>
>> I had removed that file for -P2 but the sudo make install of -P3 re-wrote
>> it:
>> [drf at maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript
>> /usr/bin/install -c -m 644 ./bind.keys /etc
>> so it is back.
>>
>>
>> I do have a managed-keys statement in my named.conf:
>> managed-keys {
>> "." initial-key 257 3 8
>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
>> };
>>
>> and it seems to run OK so far.
>>
>> My question is whether the built-in trusted keys (/etc/bind.keys) is
>> necessary or not in 9.7.2-P3. I am assuming it is as the make step set it
>> up.
>
> It is a DLV needed as a trust ancor until DNSSEC is chained from the DNS root
> downwards. See http://www.isc.org/solutions/dlv for details.
>
> Regards
>
> Andreas
>
The startup of named with the builtin trusted keys and my managed-keys
statement creates two identical separate mkeys files and their mkeys.jnl
counterparts for the root . :
-rw-r--r-- 1 named users 698 2010-12-01 04:47
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
-rw-r--r-- 1 named users 512 2010-12-01 04:47
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl
-rw-r--r-- 1 named users 698 2010-12-01 04:51
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
-rw-r--r-- 1 named users 512 2010-12-01 04:51
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl
both of which show a key id == 19036
which seems odd. I do have two views, though, for internal (recursive)
and external (non-recursive) purposes.
Oh well, it works as both views seem to authenticate DNSSEC:
[maplepark.com (view: external)]
1044 queries resulted in successful answer
1140 queries resulted in authoritative answer
17 queries resulted in nxrrset
79 queries resulted in NXDOMAIN
5 requested transfers completed
[maplepark.com (view: internal)]
333 queries resulted in successful answer
1129 queries resulted in authoritative answer
4 queries resulted in nxrrset
792 queries resulted in NXDOMAIN
Thanks,
Dave
More information about the bind-users
mailing list