dnssec-lookaside != auto

Mon Dec 20 00:11:15 UTC 2010

On Dec 19 2010, Torinthiel wrote:

>Hello everyone,
>
>I've recently updated bind to version 9.7.2_p3.
>
>I've been using DLV before that, specifically dlv.isc.org, with two
>entries in named.conf
>
>options {
>dnssec-lookaside . trust-anchor dlv.isc.org.;
>};
>trusted-keys{
>[sometext]
>};
>
>and it was working fine.
>However, on update I've wanted to try managed-keys. so changed
>trusted-keys to managed-keys (and added initial key of course)
>
>so the relevant part of config file now looks like this:
>
>managed-keys {
>dlv.isc.org. initial-key 257 3 5
>"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
>brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
>1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
>ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
>Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
>QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
>};
>
>
>this has caused problem, every query caused error, no answers and these
>log entries:
>
>Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
>DNSKEY: must be secure failure,  . is under DLV (startfinddlvsep)
>Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
>'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53

One suspects some transcription error in the trust anchor, but
I admit I can't find one in the copy above.

>After some googling and finding
>http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
>and even better
>http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
>
>I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.

"dnssec-lookaside auto" just imports the managed-keys statement from
[source-tree]/bind.keys. Compare that carefully with your explicit
managed-keys statement.

We are using managed-keys with explicit entries (not auto) for dlv.isc.org
and for the root zone (it's strange that you don't mention a trust anchor
for the root zone), and it works fine (modulo the remarks at the end: just
as well as a trusted-keys statement would, anyway).

>However, this presents the following problems to me:
>- managed keys does not work as advertised:
>In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
>said that managed-keys is similar to trusted-keys, but where key in
>trusted-keys is static and trusted as long as it's in config file, key
>in managed-keys is trusted only once, to download this key and store it
>in trusted database. This proves to be wrong, as it's not trusted even
>that one time.
>
>- I don't seem to be able to switch to another DLV registry.
>dnssec-lookaside accepts only auto, so I have no choice but to use
>built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
>
>Can anyone shed some light if this is my mistake, not having something
>in configuration, or a general bind error?

You are doing something wrong, as it works for the rest of us.

However ... when all is said and done, using managed-keys rather than
trusted-keys has very limited value at the moment, if you are only
going to it for dlv.isc.org and the root (and of course you should
*not* use it for any trust anchor for which RFC 5011 compatible
rollovers have not been promised). Neither is likely to be rolled
over without a lot of publicity, and the managed-keys code still
has the bug described at 

https://lists.isc.org/pipermail/bind-users/2010-October/081399.html

-- 
Chris Thompson
Email: cet1 at cam.ac.uk