Trouble with option managed-keys
Mark Elkins
mje at posix.co.za
Tue May 17 20:49:29 UTC 2016
"managed-keys" is not a config option, try moving it outside the option
stanza, eg....
options {
version ""; // remove this to allow version queries
listen-on { 127.0.0.1; 192.168.21.101; };
listen-on-v6 { none; };
empty-zones-enable yes;
allow-query { clients; };
allow-recursion { clients; };
allow-transfer { none; };
dnssec-enable yes;
dnssec-validation yes;
};
include "/etc/root_trusted_key";
logging {
category lame-servers { null; };
};
...
Personally, I just have the text from your included file directly in
named.conf file itself.
Take a quick peek at http://dnssec.co.za
On 17/05/2016 22:35, thl at it-hluchnik.de wrote:
> Hi all,
>
> I have a problem with DNSSEC and I dont find a solution. Maybe someone can help me.
>
> My intention is to run a bind which acts as DNSSEC enabled resolver for my internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a precompiled package from OpenBSD, version is 9.10.3-P3.
>
> Configuring my named, I mostly followed a howto from Calomel.org:
>
> https://calomel.org/dns_bind.html
>
> This is my named.conf:
>
> root at bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
> acl clients {
> 127.0.0.0/8;
> 192.168.21.0/24;
> ::1;
> };
> options {
> version ""; // remove this to allow version queries
> listen-on { 127.0.0.1; 192.168.21.101; };
> listen-on-v6 { none; };
> empty-zones-enable yes;
> allow-query { clients; };
> allow-recursion { clients; };
> allow-transfer { none; };
> include "/etc/root_trusted_key";
> dnssec-enable yes;
> dnssec-validation yes;
> };
> logging {
> category lame-servers { null; };
> };
> zone "." {
> type hint;
> file "etc/root.hint";
> };
> zone "localhost" {
> type master;
> file "standard/localhost";
> allow-transfer { localhost; };
> };
> zone "127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> allow-transfer { localhost; };
> };
>
>
> As my named is running in a chroot jail, /etc/root_trusted_key is /var/named/etc/root_trusted_key in reality.
>
> root at bsd59n:/var/named/etc# root_trusted_key
> managed-keys {
> "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
> };
>
> root_trusted_key was generated as Calomel howto describes.
>
> Now, when I try to start named with that config, I get a courious error message:
>
>
> root at bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 -g
> 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 <id:bdaecad> -t /var/named -u _bind -U 4 -g
> 17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-aaaa' '--enable-threads' '--with-libt
> ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' '--prefix=/usr/local' '--sysconfdir=/etc'
> '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' '--disable-silent-rules' '--di
> sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
> 17-May-2016 21:53:14.644 ----------------------------------------------------
> 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium,
> 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
> 17-May-2016 21:53:14.644 corporation. Support and training for BIND 9 are
> 17-May-2016 21:53:14.644 available at https://www.isc.org/support
> 17-May-2016 21:53:14.644 ----------------------------------------------------
> 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
> 17-May-2016 21:53:14.645 using 2 UDP listeners per interface
> 17-May-2016 21:53:14.648 using up to 4096 sockets
> 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
> 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 'managed-keys'
> 17-May-2016 21:53:14.686 loading configuration: failure
> 17-May-2016 21:53:14.686 exiting (due to fatal error)
>
>
> But named documentation and "man named.conf" both say that managed-keys were a valid option.
>
> So what's wrong here? Thanks in advance for any help.
>
> Thomas Hluchnik
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160517/95623fb2/attachment-0001.bin>
More information about the bind-users
mailing list