DNSSEC with 9.7.2-P2

David Forrest drf at maplepark.com
Wed Dec 1 21:55:35 UTC 2010 

On Wed, 1 Dec 2010, lst_hoe02 at kwsoft.de wrote:

> Zitat von David Forrest <drf at maplepark.com>:
>
>> On Tue, 16 Nov 2010, Mark Andrews wrote:
>> <snipped>
>>>> 
>>>> Isn't sufficient to configure the root trust anchor inside "managed-keys 
>>>> {};"
>>>> statement? If I understand correctly the key should be automatically
>>>> updated, shouldn't it?
>>> 
>>> For 9.7 yes.
>>> 
>> 
>> I just updated to 9.7.2-P3 and got this message on start:
>> Dec  1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
>> Dec  1 10:52:01 maplepark named[20356]: built with defaults
>> Dec  1 10:52:01 maplepark named[20356]: using up to 4096 sockets
>> Dec  1 10:52:01 maplepark named[20356]: loading configuration from 
>> '/etc/named.conf'
>> Dec  1 10:52:01 maplepark named[20356]: reading built-in trusted keys from 
>> file '/etc/bind.keys'
>> 
>> I had removed that file for -P2 but the sudo make install of -P3 re-wrote 
>> it:
>> [drf at maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript 
>> /usr/bin/install -c -m 644 ./bind.keys /etc
>> so it is back.
>> 
>> 
>> I do have a managed-keys statement in my named.conf:
>> managed-keys {
>>  "." initial-key 257 3 8 
>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
>> };
>> 
>> and it seems to run OK so far.
>> 
>> My question is whether the built-in trusted keys (/etc/bind.keys) is 
>> necessary or not in 9.7.2-P3.  I am assuming it is as the make step set it 
>> up.
>
> It is a DLV needed as a trust ancor until DNSSEC is chained from the DNS root 
> downwards. See http://www.isc.org/solutions/dlv for details.
>
> Regards
>
> Andreas
>

The startup of named with the builtin trusted keys and my managed-keys 
statement creates two identical separate mkeys files and their mkeys.jnl 
counterparts for the root . :
-rw-r--r--  1 named users    698 2010-12-01 04:47 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
-rw-r--r--  1 named users    512 2010-12-01 04:47 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl
-rw-r--r--  1 named users    698 2010-12-01 04:51 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
-rw-r--r--  1 named users    512 2010-12-01 04:51 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl

both of which show a key id == 19036

which seems odd.  I do have two views, though, for internal (recursive) 
and external (non-recursive) purposes.

Oh well,  it works as both views seem to authenticate DNSSEC:

[maplepark.com (view: external)]
                 1044 queries resulted in successful answer
                 1140 queries resulted in authoritative answer
                   17 queries resulted in nxrrset
                   79 queries resulted in NXDOMAIN
                    5 requested transfers completed
[maplepark.com (view: internal)]
                  333 queries resulted in successful answer
                 1129 queries resulted in authoritative answer
                    4 queries resulted in nxrrset
                  792 queries resulted in NXDOMAIN

Thanks,
Dave

More information about the bind-users mailing list