DNSSEC auto-dnssec issue bind-9.7.2-P3

Kalman Feher kalman.feher at melbourneit.com.au
Fri Jan 21 14:17:33 UTC 2011 



On 21/01/11 2:05 PM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> W dniu 2011-01-21 11:23, Kalman Feher pisze:
>> The only way I can replicate the behaviour is with dnssec-enable no or with
>> an unsigned version of the zone in another view. Assuming you've not
>> overlapped your views in such a way (it was a very contrived test), I think
>> you'll need to provide a bit more information on your configuration.
>> 
>> -options
>> -relevant view statement
>> -The zone statement (from the hashed file if you are using the new dynamic
>> zones feature).
>> -The zone itself
>> -Query logs. 
>> 
>> Without the full dig output it is hard to see what is actually happening.
>> I'd suggest including that as well.
>> 
>> If you dig axfr or dig rrsig are the signatures present?
>> 
> 
> I've conducted test with 'auto-dnssec allow' and that works without any
> single problem, than I just change this options to 'auto-dnssec
> maintain' and odd things happen.
> 
Perhaps we are getting close to the problem then.
Can you show the content of the key files? Specifically the metadata which
the "maintain" option wants.

Since "allow" works I'm assuming that key file permissions (and directory
permissions) are ok, but it couldn't hurt to check them.
> Didn't mentioned before but this named is working with SoftHSM. But like
> I said no problems with 'auto-dnssec allow'.
> 
> this is zone conf:
> 
> zone "example" {
> type master;
> file "var/zone/example";
> allow-update { loopback; };
> allow-transfer { trusted; loopback; };
> auto-dnssec maintain;
> key-directory "var/keys/example";
> };
> 
> named.conf:
> 
> controls {
>         inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
>         inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
> };
> 
> acl trusted {
>         127.0.0.1;
>         172.16.7.5;
> };
> 
> acl loopback {
>         127.0.0.1;
> };
> 
> acl eth0 {
>         172.16.7.5;
> };
> 
> options {
>         directory "/";
>         query-source address 172.16.7.5;
>         notify-source 172.16.7.5;
>         transfer-source 172.16.7.5;
>         port 53;
>         pid-file "var/run/named/named.pid";
>         session-keyfile "var/run/named/session.key";
>         listen-on {
>                 loopback;
>                 eth0;
>         };
>         listen-on-v6 { none; };
>         recursion no;
>         notify explicit;
>         allow-query { trusted; };
> 
>         dnssec-enable yes;
>         dnssec-validation yes;
>         max-journal-size 100k;
>         random-device "/dev/urandom";
> };
> 
> this is zone file:
> 
> $TTL    3600
> example.                SOA     ns1.example. bugs.x.w.example. (
>                                 1292481908
>                                 7200
>                                 3600
>                                 734400
>                                 600
>                         )
>                         TXT     "dnssec test"
>                         NS ns1.example.
>                         NS ns2.example.
> $ORIGIN example.
> ns1             A       127.0.0.3
> ns2             A       127.0.0.4
> 
> a               NS      ns1.a
>                 NS      ns2.a
>                 DS 23344 5 1 CECDDBFFD6A0C01F8D7E96C4BE31CB577433DD56
> 
> ns1.a   IN      A       127.0.0.1
> ns2.a   IN      A       127.0.0.1
> 
> c               NS      ns1.c
> c               NS      ns2.c
> ns1.c   IN      A       127.0.0.5
> ns2.c   IN      A       127.0.0.6
> 
> ai      IN      A       127.0.0.1
>         IN      AAAA    0:0:0:0:0:0:0:1
> xx      IN      A       127.0.0.1
>         IN      AAAA    0:0:0:0:0:0:0:1
> 
> w       IN      A       127.0.0.1
> *.w             MX 10   ai
> x.w             MX 10   xx
> x.y.w           MX 10   xx
> 
> If I make query for RRSIG records, named is returning proper signatures.
> for example for SOA record:
> 
> $ dig @127.0.0.1 example rrsig +short
> SOA 10 1 3600 20110220123506 20110121113506 51587 example.
> cVzWYkeTASPUiHv0DxFXpTsK4G1QkpS3sZ1jXmDCDv+EaYUs2C/kRlD9
> <CUT>
> 
> same with AXFR, and same for zone file.
> 
> - -- 
> regards
> 
> zbigniew jasinski
> [SYStem OPerator]
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJNOYSaAAoJEH26UYiRhe/gNmcQALSiNOVoKWBpA/GV1WiarmDt
> b+G6NZPBOtXXW4U90XDqL211TUaeXgLfwesRfIERraDxOTtCPjTx9npIoMQMLrWk
> F91slmf8thgLpPzFqwe2FxMoagL/HdQ8fXrzHmdMU5Lsg8gBalJyVKL56Hozlp9R
> n5LZy8+QBSJHuJKXFIZcBPPCdUW8dEJcONve01ik09gHbwcQzCuqwY7S5vYrDW2s
> fZhYQUCvjdBpmf3uKH1yXiqdtUtUerZN3fCB6r4cGIkzYk98iEj5M6fngsBl49vt
> SijzWbQftd0ThSxHPcEiuSom4pAuFlxN1O7Al8laIRwgme5wvtUeN+PA8sxr7FWl
> cnUC///yLnYJNTJBnbIY0wiWsSTU9H4LU42tnesAKJaIBmaOR9w6QgxLs+E+pyKM
> M3pnC//ZqxGirnV9YetV6mqfch23Y08yWcmjTNI8QytEoXPMMaGXyh4IYJFAiMaz
> SxV5B9Be1KP1DxO2wyHwDEwrZzIkS5sl1iiaoyb+G0d9dWjuvlSmkDSZA43nYXGS
> cn91vMLqUHpYCYVIy3p8w62y7+jOPrIM94vsgONjPijqlB0DZY2JsMP4q2StHUui
> cYEqw5NDoCGpxPbnlMJF8FmFmv9R7r+yTPI/O5oR7I4sbhxti3eP0/oDLTlpZDfx
> qF6n+qmGBcLll7mn4pUy
> =dt7w
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher

More information about the bind-users mailing list