Question about managed-keys-zone
Bjoern Kahl
mls at bjoern-kahl.de
Fri Apr 8 16:26:37 UTC 2016
Am 08.04.16 um 16:11 schrieb Bhangui, Sandeep - BLS CTR:
> Thanks Jeremy
>
>
> Logging section from named.conf
>
> logging {
> channel "named-log" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.log" versions 3 size 30m;
That is wrong, if your named runs in a chroot jail (guessing from
"named-jail9.10.3P4" you run it in a jail).
Assuming your named jail is "/usr/local/named-jail9.10.3P4", you must
name the file relative to the jail, i.e. "/var/adm/named.log".
Note the leading "/" in the file name. When running chroot jailed,
named set the root "/" of its view of the file system early in startup,
so all paths need to be specified starting from the new root.
> severity info;
> print-time yes; print-category yes; print-severity yes;
> };
>
> channel "named-lame" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.lame" versions 3 size 30m;
> severity info;
> print-time yes; print-category yes; print-severity yes;
> };
>
> channel "named-querylog" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.querylog" versions 3 size 30m;
> severity dynamic;
> print-time yes; print-category yes; print-severity yes;
> };
>
> category "general" { "named-log"; };
> category "security" { "named-log"; };
> category "xfer-in" { "named-log"; };
> category "xfer-out" { "named-log"; };
> category "client" { "named-log"; };
> category "update" { "named-log"; };
> category "lame-servers" { "named-lame"; };
> category "queries" { "named-querylog"; };
> category edns-disabled { null; };
> /* category "delegation-only" { "named-querylog"; }; */
> };
>
>
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists and the files are there....owned by named:named.
>
> I know it using rndc is a good practice but is there an option to specify in named.conf to disable it?
>
> -----Original Message-----
> From: Jeremy C. Reed [mailto:jreed at isc.org]
> Sent: Friday, April 08, 2016 9:37 AM
> To: Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
> Cc: Bind Users Mailing List <bind-users at lists.isc.org>
> Subject: Re: Question about managed-keys-zone
>
> On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
>
>
>> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2
>
> Unrelated to your problem, but the --enable-newstats configure switch is not used for BIND 9.10.
>
>> 1. Cannot seem to start named and it seems that it is looking for some
>> keys to validation locally.
>
> (I reordered your email some:)
>
>> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open
>> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not
>> found Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging:
>> file not found Apr 7 15:15:32 cfdnsquar01 named[37952]: loading
>> configuration: file not found Apr 7 15:15:32 cfdnsquar01
>> named[37952]: exiting (due to fatal error)
>
> Your named cannot start due to logging configuration. You didn't share your configuration elated to it, but does the directory /usr/local/named-jail9.10.3P4/var/adm/ exist?
>
>
>> I believe managed-key-zone validation is by default enabled in
>> Bind......is there an option that I can use in named.conf file to
>> disable that so that it does not look for the key......I guess this is
>> just a self-validation on the master itself and has nothing to do with
>> DNSSEC signing as it seems I am not even able to get the named up...
>
> Yes, it is unrelated.
>
>> I guess question is do I have an option that I can specify such that
>> it will not look for self-validation keys at all so that I do not have
>> to deal with rndc.key and rndc.conf or is this something I cannot get
>> by with when I use "views" ? Or am I not understanding this properly?
>
> The rndc keys (used for connecting to the control interface) are unrelated to the keys used with DNSSEC. But for operations it is a good idea. See the ARM and/or rndc-confgen manpage about generating the rndc configuration.
>
> Let's get your named startup working first before we work on your goal.
> (If I understand correctly, you want named to serve internally unsigned zones, an external appliance will sign the zones, and then named can then serve the signed zones publicly.)
>
--
| Bjoern Kahl +++ Siegburg +++ Germany |
| "mls at -my-domain-" +++ www.bjoern-kahl.de |
| Languages: German, English, Ancient Latin (a bit :-)) |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 291 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160408/89612eed/attachment-0001.bin>
More information about the bind-users
mailing list