dnssec-lookaside != auto

Mon Dec 20 07:08:13 UTC 2010

On 12/20/10 01:32, Mark Andrews wrote:
> In message <4D0E8340.9060003 at data.pl>, Torinthiel writes:
>   
>> Hello everyone,
>>
>> I've recently updated bind to version 9.7.2_p3.
>>     
> Upgraded from what?
>   

>From 9.4.3_p5

>  
>   
>> I've been using DLV before that, specifically dlv.isc.org, with two
>> entries in named.conf
>>
>> options {
>> dnssec-lookaside . trust-anchor dlv.isc.org.;
>> };
>> trusted-keys{
>> [sometext]
>> };
>>
>> and it was working fine.
>> However, on update I've wanted to try managed-keys. so changed
>> trusted-keys to managed-keys (and added initial key of course)
>>
>> so the relevant part of config file now looks like this:
>>
>> managed-keys {
>> dlv.isc.org. initial-key 257 3 5
>> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
>> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
>> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
>> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
>> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
>> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
>> };
>>
>>
>> this has caused problem, every query caused error, no answers and these
>> log entries:
>>
>> Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
>> DNSKEY: must be secure failure,  . is under DLV (startfinddlvsep)
>> Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
>> 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53
>>     
> And what other errors were logged by named when it started?
>   
None. Complete startup log sequence:
Dec 20 07:49:14 sarlac named[4137]: loading configuration from
'/etc/bind/named.conf'
Dec 20 07:49:14 sarlac named[4137]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv4 port range:
[1024, 65535]
Dec 20 07:49:14 sarlac named[4137]: using default UDP/IPv6 port range:
[1024, 65535]
Dec 20 07:49:14 sarlac named[4137]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Dec 20 07:49:14 sarlac named[4137]: reloading configuration succeeded
Dec 20 07:49:15 sarlac named[4137]: managed-keys-zone ./IN: loaded serial 16
Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: loaded serial
2010110801
Dec 20 07:49:15 sarlac named[4137]: reloading zones succeeded
Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: sending
notifies (serial 2010110801)

>  
>   
>> After some googling and finding
>> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
>> and even better
>> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
>>
>> I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.
>>     
> And the contents of /etc/bind.key are?  Also the contents in the
> chroot area if you are using chroot.
>   
Changed /etc/bind.keys to /etc/bind/bind.keys, via config (and it reeds
it, you can see in logs). Contents were given in first post, only I
haven't mentioned it was in /etc/bind/bind.keys.
The managed-keys statement is the sole statement in /etc/bind/bind.keys
and is not present in main config file.
Ok, this was the problem. Having included the file as well as specified
it at bindkeys-file seems to have solved the problem. Ok, now the
documentation seems a bit unclear about it. It never states that the
file is included nor that it's not. But having information that it loads
the given file (in dnssec-lookaside description) and information that
file is loaded in logs has given me a false sense of security in this
case. Is this double-include (sort of) configuration what I was supposed
to do? Will it work correctly after a key rollover?

Also, another question arises: can one include more than one
bindkeys-file and/or dnssec-lookaside in config? The documentation hints
that at least the latter is possigble, but does not state so. And having
multiple bindkeys-file is useful if you have locally-configured keys,
for which using the main file is not recommended.

Skipping rest of answers, as problem is (mostly) solved.
Regards,
 Torinthiel