bind 9.7.4 on centos6
Carl Byington
carl at byington.org
Sun Sep 4 19:20:26 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am trying to build bind 9.7.4 from source on centos6, starting with a
stock fedora14 source rpm. It seems to be working, but won't validate
against the root key, but it will against the dlv.isc.org keys.
dig org ns +dnssec @localhost
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
Note no 'ad' flag in the response.
dig isc.org ns +dnssec
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 13
/etc/named.isc.keys contains:
managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
dlv.isc.org. initial-key 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
which seems to be correct. But when named starts, it logs:
Sep 4 11:59:26 ns named[19409]: set up managed keys zone for view
normal, file '/var/named/dynamic/317b32c143692b9939c197f6a5df54f9698df9a
4882fe8bf19608968662be4fa.mkeys'
And that mkeys files only contains a key for dlv.isc.org, and no managed
key for .
Perhaps this version does not understand algorithm 8 (sha256?), but dig
seems to like it:
dig . dnskey | grep '^\.' >/tmp/root.key
dig org ns +sigchase +trusted-key=/tmp/root.key
output ends with
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
So it seems that dig can validate, but bind fails to do so:
cat /tmp/root.key
. 165546 IN DNSKEY 256 3 8
AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6
Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK
s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj
. 165546 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
And that looks like the same key as in the /etc/named.iscdlv.key file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFOY88vL6j7milTFsERAqEwAJ456o3eEHoCSby04MtlbiAyNXgIbACghZsy
Zs5XuI81n7knAvVYcI5+RhA=
=l41m
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list