DNSSEC with 9.7.2-P2
David Forrest
drf at maplepark.com
Mon Nov 15 13:34:43 UTC 2010
On Fri, 12 Nov 2010, Phil Mayers wrote:
> On 12/11/10 12:49, David Forrest wrote:
>>
>> and, on checking named.conf, I found the entry for br. as:
>> trusted-keys {
>> "br." 257 3 5
>> "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=";
>> };
>
>
> This key is invalid for "br".
>
> Since you're running 9.7.2, don't do this. "br" is signed by the root;
> instead, defined a "managed-keys" statement for "." and let the root DNSSEC
> take care of it.
>
> See:
>
> http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
That fixed it! Thanks, Phil.
Upon restarting I got a starting log message:
reading built-in trusted keys from file '/etc/bind.keys'
and stopped it with rndc to rename that file as it seemed to be a
lookaside key for dlv. After a restart of named I got only a
named[25911]: set up managed keys zone for view external, file
'3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys'
message and it seems to be working fine now.
Although I am using Fedora 11, I did disable the inits for the
distribution scripts and start named from a root cron crontab
(* * * * * /usr/bin/pgrep named >/dev/null || (ulimit -u 4096; /usr/local/sbin/named -u named)
as I have all the 9.7.2-P2 stuff in /usr/local/sbin while F11 used
/usr/sbin. My troubles were of my own making, not F11's, although I do
not remember creating the '/etc/bind.keys' file.
Thanks again, this is a very helpful list.
Dave
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation http://xen.maplepark.com
St. Louis, Missouri (Sent by ALPINE 2.01 FEDORA 11 LINUX)
More information about the bind-users
mailing list