dnssec-lookaside auto and managed-keys-zone problem with certain views
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Jul 18 11:27:34 UTC 2010
Dear list,
Is there a way of using dnssec-lookaside and forcing bind not to
maintain a managed-keys-zone for certain views? Or allowing it to start
up if the files are missing for some views? I have within my named.conf
this view, designed to hide bind.version and so forth from the world at
large:
view "external-chaos" chaos {
match-clients { !trusted; };
allow-query { none; };
zone "." { type hint; file "/dev/null"; };
};
The 'trusted' acl is just a list of my local networks.
However, this seems to cause bind to fail to restart cleanly, as bind
never generates any managed-keys-zone file for this view. Now, I can
work around this by deleting all of the managed-keys-zone files from the
working directory every time I need to restart named, but that's not ideal.
Cheers,
Matthew
Full named.conf:
// $Id: named.conf 763 2010-07-18 09:25:15Z matthew $
// Refer to the named.conf(5) and named(8) man pages for details. If
// you are ever going to setup a primary server, make sure you've
// understood the hairy details of how DNS is working. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amount of useless Internet traffic.
// Access control lists. Not just anybody is allowed to make use of
// this service.
acl trusted {
127.0.0.1;
::1;
81.187.76.160/29;
81.187.220.164;
2001:8b0:151:1::/64;
};
acl secondaries {
127.0.0.1; // localhost
::1; // localhost (IPv6)
81.187.76.162; // ns0.infracaninophile.co.uk
2001:8b0:151:1:e2cb:4eff:fe26:6481; // ns0.infracaninophile.co.uk (IPv6)
81.187.81.32; // secondary-dns.co.uk (A&A)
2001:8b0:0:81::51bb:5120; // secondary-dns.co.uk (A&A, IPv6)
81.187.81.30; // secondary-ns.co.uk (A&A)
2001:8b0:0:81::51bb:5116; // secondary-ns.co.uk (A&A, IPv6)
2001:8b0::2021; // dns2.aaisp.net.uk
};
include "/etc/namedb/acl-ipv4-bogons.conf";
include "/etc/namedb/acl-ipv6-bogons.conf";
acl bogon {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc.
// Allow 127.0.0.1, ::1 specifically
!127.0.0.1;
!::1;
// See: http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
ipv4-bogons;
// See: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
ipv6-bogons;
};
logging {
channel dnssec_log {
file "/var/log/dnssec" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug;
};
channel named_log {
file "/var/log/named.log" versions 5 size 20m;
print-time yes;
severity debug;
};
category default { default_syslog; default_debug; };
category queries { named_log; default_debug; };
category dnssec { dnssec_log; };
category security { named_log; default_syslog; };
category config { default_syslog; };
category resolver { named_log; };
category xfer-in { named_log; };
category xfer-out { named_log; };
category notify { named_log; };
category client { named_log; };
category network { named_log; };
category update { named_log; };
category lame-servers { named_log; };
};
statistics-channels {
inet * port 8080 allow { trusted; };
inet :: port 8080 allow { trusted; };
};
options {
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
memstatistics-file "/var/stats/named.memstats";
zone-statistics yes;
// Listen only on the loopback and on the 1ary IPv4 and IPv6
// network addresss, not the jail or tunnel IPs.
listen-on {
127.0.0.1;
81.187.76.162;
};
listen-on-v6 {
::1;
2001:8b0:151:1:e2cb:4eff:fe26:6481;
};
query-source address 81.187.76.162 port *;
query-source-v6 address 2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
transfer-source 81.187.76.162 port *;
transfer-source-v6 2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
notify-source 81.187.76.162 port *;
notify-source-v6 2001:8b0:151:1:e2cb:4eff:fe26:6481 port *;
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
// We have no dynamic interfaces, so don't check for changes
interface-interval 0;
// B******s to Verisign -- with bind-9.2.2.rc3 we can have
// delegation only from the TLDs
root-delegation-only exclude { "ad"; "af"; "ar"; "biz"; "cr"; "cu";
"de"; "dm"; "fr"; "id"; "lu"; "lv";
"md"; "ms"; "museum"; "name"; "no";
"pa"; "pf"; "re"; "se"; "sr"; "tn";
"to"; "tw"; "us"; "uy"; };
allow-transfer { secondaries; };
allow-query { trusted; };
allow-query-cache { trusted; };
allow-recursion { none; };
allow-update { none; };
max-transfer-time-in 60;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
blackhole { bogon; };
};
// Authentication for communicating with rndc --- only listen on the
loopback
// port 953 for control connections
key "rndc-key" {
algorithm hmac-md5;
secret "MrCkB0CphF4MKmcTY5q/9Q==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
inet ::1 port 953
allow { ::1; } keys { "rndc-key"; };
};
// Zone data files.
view "internal-in" in {
// Internal networks -- can recurse via this server and access
// its cache. They also get to query for localhost related
// addresses.
match-clients { trusted; };
allow-transfer { none; };
allow-recursion { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
notify no;
disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa";
// The traditional root hints mechanism.
zone "." { type hint; file "/etc/namedb/named.root"; };
// RFC 1912
zone "localhost"
{
type master;
file "/etc/namedb/master/localhost-forward";
};
zone "127.in-addr.arpa"
{
type master;
file "/etc/namedb/master/localhost-reverse";
};
// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa"
{
type master;
file "/etc/namedb/master/localhost-reverse";
};
include "/etc/namedb/named.zones";
};
view "external-in" in {
// Publically accessible zone data. The whole world can see this.
// Recursion and access to cache not allowed for the world in
// general.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
notify yes;
// The traditional root hints mechanism.
zone "." { type hint; file "/etc/namedb/named.root"; };
include "/etc/namedb/named.zones";
};
view "external-chaos" chaos {
match-clients { !trusted; };
allow-query { none; };
zone "." { type hint; file "/dev/null"; };
};
//
// That's All Folks!
//
Syslog extract:
Jul 18 11:59:31 lucid-nonsense named[89734]: starting BIND 9.7.1-P2 -c
/etc/namedb/named.conf -t /var/named -u bind
Jul 18 11:59:31 lucid-nonsense named[89734]: built with
'--localstatedir=/var' '--disable-linux-caps' '--disable-symtable'
'--with-randomdev=/dev/random' '--with-openssl=/usr/local'
'--with-libxml2=/usr/local' '--with-idn=/usr/local'
'--with-libiconv=/usr/local' '--enable-largefile'
'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/info/' '--build=x86_64-portbld-freebsd8.1'
'build_alias=x86_64-portbld-freebsd8.1'
'CC=/usr/local/libexec/ccache/world-cc' 'CFLAGS=-O2 -pipe -march=native
-fno-strict-aliasing' 'LDFLAGS= -rpath=/usr/local/lib'
'CXX=/usr/local/libexec/ccache/world-c++' 'CXXFLAGS=-O2 -pipe
-march=native -fno-strict-aliasing'
Jul 18 11:59:31 lucid-nonsense named[89734]: found 2 CPUs, using 2
worker threads
Jul 18 11:59:31 lucid-nonsense named[89734]: using up to 4096 sockets
Jul 18 11:59:31 lucid-nonsense named[89734]: loading configuration from
'/etc/namedb/named.conf'
Jul 18 11:59:31 lucid-nonsense named[89734]: statistics channel
listening on 0.0.0.0#8080
Jul 18 11:59:31 lucid-nonsense named[89734]: statistics channel
listening on ::#8080
Jul 18 11:59:31 lucid-nonsense named[89734]: listening on IPv4 interface
re0, 81.187.76.162#53
Jul 18 11:59:31 lucid-nonsense named[89734]: listening on IPv6 interface
re0, 2001:8b0:151:1:e2cb:4eff:fe26:6481#53
Jul 18 11:59:31 lucid-nonsense named[89734]: listening on IPv4 interface
lo0, 127.0.0.1#53
Jul 18 11:59:31 lucid-nonsense named[89734]: listening on IPv6 interface
lo0, ::1#53
Jul 18 11:59:31 lucid-nonsense named[89734]: generating session key for
dynamic DNS
Jul 18 11:59:31 lucid-nonsense named[89734]: using built-in trusted-keys
for view internal-in
Jul 18 11:59:31 lucid-nonsense named[89734]: set up managed keys zone
for view internal-in, file
'eaf1b28c3f53aa70edb889428dd9dd32eb81e6368a937db8ca0445d10de296b0.mkeys'
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 0.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 254.169.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 2.0.192.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 100.51.198.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 113.0.203.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 255.255.255.255.IN-ADDR.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: D.F.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 8.E.F.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 9.E.F.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: A.E.F.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: B.E.F.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 8.B.D.0.1.0.0.2.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: automatic empty zone: view
internal-in: 0.1.1.0.0.2.IP6.ARPA
Jul 18 11:59:31 lucid-nonsense named[89734]: using built-in trusted-keys
for view external-in
Jul 18 11:59:31 lucid-nonsense named[89734]: set up managed keys zone
for view external-in, file
'4f44c0745853b35bc1bd400e1dd93b704aa0b9a7965c4876c72824d5debbf2ac.mkeys'
Jul 18 11:59:31 lucid-nonsense named[89734]: set up managed keys zone
for view external-chaos, file
'466ec7d86eeb6bcae696bb9ed82824f344579a6725854730827076b7f5f7f3c5.mkeys'
Jul 18 11:59:31 lucid-nonsense named[89734]: command channel listening
on 127.0.0.1#953
Jul 18 11:59:31 lucid-nonsense named[89734]: command channel listening
on ::1#953
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
127.in-addr.arpa/IN/internal-in: loaded serial 2010071100
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
164.220.187.81.in-addr.arpa/IN/internal-in: loaded serial 2010071100
(DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
160-167.76.187.81.in-addr.arpa/IN/internal-in: loaded serial 2010071100
(DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
0.ip6.arpa/IN/internal-in: loaded serial 2010071100
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/IN/internal-in: loaded serial
2010071100 (DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
localhost/IN/internal-in: loaded serial 2010071100
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
black-earth.co.uk/IN/internal-in: loaded serial 2010071100 (DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
infracaninophile.co.uk/IN/internal-in: loaded serial 2010071100 (DNSSEC
signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: managed-keys-zone
./IN/internal-in: loaded serial 3
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
164.220.187.81.in-addr.arpa/IN/external-in: loaded serial 2010071100
(DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
160-167.76.187.81.in-addr.arpa/IN/external-in: loaded serial 2010071100
(DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/IN/external-in: loaded serial
2010071100 (DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
black-earth.co.uk/IN/external-in: loaded serial 2010071100 (DNSSEC signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: zone
infracaninophile.co.uk/IN/external-in: loaded serial 2010071100 (DNSSEC
signed)
Jul 18 11:59:31 lucid-nonsense named[89734]: managed-keys-zone
./IN/external-in: loaded serial 3
Jul 18 11:59:31 lucid-nonsense named[89734]:
rdata/generic/keydata_65533.c:222: REQUIRE(keydata->common.rdclass ==
rdclass) failed, back trace
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: rdata/generic/keydata_65533.c:222:
REQUIRE(keydata->common.rdclass == rdclass) failed, back trace
Jul 18 11:59:31 lucid-nonsense kernel: pid 89734 (named), uid 53: exited
on signal 6
Jul 18 11:59:31 lucid-nonsense named[89734]: #0 0x413a5b in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #0 0x413a5b in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #1 0x55c37a in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #1 0x55c37a in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #2 0x4c60dc in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #2 0x4c60dc in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #3 0x4c8965 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #3 0x4c8965 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #4 0x536097 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #4 0x536097 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #5 0x53675b in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #5 0x53675b in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #6 0x5384c1 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #6 0x5384c1 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #7 0x42c041 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #7 0x42c041 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #8 0x42d018 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #8 0x42d018 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #9 0x576c55 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #9 0x576c55 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #10 0x801236511 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #10 0x801236511 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: #11 0x0 in ??
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: #11 0x0 in ??
Jul 18 11:59:31 lucid-nonsense named[89734]: exiting (due to assertion
failure)
Jul 18 11:59:31 lucid-nonsense kernel: Jul 18 11:59:31 lucid-nonsense
named[89734]: exiting (due to assertion failure)
Jul 18 11:59:31 lucid-nonsense matthew: /etc/rc.d/named: WARNING: failed
to start named
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100718/08f82d3b/attachment.bin>
More information about the bind-users
mailing list