Trouble with option managed-keys

Mark Elkins mje at posix.co.za
Tue May 17 20:49:29 UTC 2016 

"managed-keys" is not a config option, try moving it outside the option
stanza, eg....

options {
        version "";     // remove this to allow version queries
        listen-on    { 127.0.0.1; 192.168.21.101; };
        listen-on-v6 { none; };
        empty-zones-enable yes;
        allow-query { clients; };
        allow-recursion { clients; };
        allow-transfer { none; };
        dnssec-enable yes;
        dnssec-validation yes;
};

include "/etc/root_trusted_key";

logging {
        category lame-servers { null; };
};
...

Personally, I just have the text from your included file directly in
named.conf file itself.

Take a quick peek at http://dnssec.co.za



On 17/05/2016 22:35, thl at it-hluchnik.de wrote:
> Hi all,
> 
> I have a problem with DNSSEC and I dont find a solution. Maybe someone can help me.
> 
> My intention is to run a bind which acts as DNSSEC enabled resolver for my internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a precompiled package from OpenBSD, version is 9.10.3-P3.
> 
> Configuring my named, I mostly followed a howto from Calomel.org:
> 
> https://calomel.org/dns_bind.html
> 
> This is my named.conf:
> 
> root at bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
> acl clients {
>         127.0.0.0/8;
>         192.168.21.0/24;
>         ::1;
> };
> options {
>         version "";     // remove this to allow version queries
>         listen-on    { 127.0.0.1; 192.168.21.101; };
>         listen-on-v6 { none; };
>         empty-zones-enable yes;
>         allow-query { clients; };
>         allow-recursion { clients; };
>         allow-transfer { none; };
>         include "/etc/root_trusted_key";
>         dnssec-enable yes;
>         dnssec-validation yes;
> };
> logging {
>         category lame-servers { null; };
> };
> zone "." {
>         type hint;
>         file "etc/root.hint";
> };
> zone "localhost" {
>         type master;
>         file "standard/localhost";
>         allow-transfer { localhost; };
> };
> zone "127.in-addr.arpa" {
>         type master;
>         file "standard/loopback";
>         allow-transfer { localhost; };
> };
> 
> 
> As my named is running in a chroot jail, /etc/root_trusted_key is /var/named/etc/root_trusted_key in reality.
> 
> root at bsd59n:/var/named/etc# root_trusted_key
> managed-keys {
>    "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
> };
> 
> root_trusted_key was generated as Calomel howto describes.
> 
> Now, when I try to start named with that config, I get a courious error message:
> 
> 
> root at bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 -g
> 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 <id:bdaecad> -t /var/named -u _bind -U 4 -g
> 17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-aaaa' '--enable-threads' '--with-libt
> ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' '--prefix=/usr/local' '--sysconfdir=/etc'
>  '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' '--disable-silent-rules' '--di
> sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
> 17-May-2016 21:53:14.644 ----------------------------------------------------
> 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium,
> 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
> 17-May-2016 21:53:14.644 corporation.  Support and training for BIND 9 are
> 17-May-2016 21:53:14.644 available at https://www.isc.org/support
> 17-May-2016 21:53:14.644 ----------------------------------------------------
> 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
> 17-May-2016 21:53:14.645 using 2 UDP listeners per interface
> 17-May-2016 21:53:14.648 using up to 4096 sockets
> 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
> 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 'managed-keys'
> 17-May-2016 21:53:14.686 loading configuration: failure
> 17-May-2016 21:53:14.686 exiting (due to fatal error)
> 
> 
> But named documentation and "man named.conf" both say that managed-keys were a valid option.
> 
> So what's wrong here? Thanks in advance for any help.
> 
> Thomas Hluchnik
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160517/95623fb2/attachment-0001.bin>

More information about the bind-users mailing list