dnssec-lookaside != auto

Mark Andrews marka at isc.org
Mon Dec 20 00:32:09 UTC 2010 

In message <4D0E8340.9060003 at data.pl>, Torinthiel writes:
> Hello everyone,
> 
> I've recently updated bind to version 9.7.2_p3.

Upgraded from what?
 
> I've been using DLV before that, specifically dlv.isc.org, with two
> entries in named.conf
> 
> options {
> dnssec-lookaside . trust-anchor dlv.isc.org.;
> };
> trusted-keys{
> [sometext]
> };
> 
> and it was working fine.
> However, on update I've wanted to try managed-keys. so changed
> trusted-keys to managed-keys (and added initial key of course)
> 
> so the relevant part of config file now looks like this:
> 
> managed-keys {
> dlv.isc.org. initial-key 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
> 
> 
> this has caused problem, every query caused error, no answers and these
> log entries:
> 
> Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
> DNSKEY: must be secure failure,  . is under DLV (startfinddlvsep)
> Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
> 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53

And what other errors were logged by named when it started?
 
> After some googling and finding
> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
> and even better
> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
> 
> I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.

And the contents of /etc/bind.key are?  Also the contents in the
chroot area if you are using chroot.

> However, this presents the following problems to me:
> - managed keys does not work as advertised:
> In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
> said that managed-keys is similar to trusted-keys, but where key in
> trusted-keys is static and trusted as long as it's in config file, key
> in managed-keys is trusted only once, to download this key and store it
> in trusted database. This proves to be wrong, as it's not trusted even
> that one time.
> 
> - I don't seem to be able to switch to another DLV registry.
> dnssec-lookaside accepts only auto, so I have no choice but to use
> built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
> 
> Can anyone shed some light if this is my mistake, not having something
> in configuration, or a general bind error?
> 
> Regards,
>  Torinthiel
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list