dnssec and chaos view

ben thielsen btb at bitrate.net
Fri Dec 2 03:55:14 UTC 2011 

i'm seeing unexpected behavior that seems to be related to using dnssec and having a view defined for the chaos class.

named complains:

01-Dec-2011 22:47:34.712 general: info: managed-keys-zone ./IN/default: loaded serial 11
01-Dec-2011 22:47:34.712 general: error: managed-keys-zone ./CH/chaos: loading from master file /etc/bind/keys/managed/5d5bddb577102d0a960bcf6fea9050c10fe5e9feddcb5c2170ccab872db9ee87.mkeys failed: file not found
01-Dec-2011 22:47:34.712 general: info: managed-keys-zone ./CH/chaos: loaded serial 0
01-Dec-2011 22:47:34.716 general: notice: running

if i remove the view, named doesn't complain.  why is named trying to do dnssec stuff for objects in the chaos class?  that was the surprising bit.  a few details below.

thanks
-ben

>named -V
BIND 9.8.1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.0e 6 Sep 2011
using libxml2 version: 2.7.8

>named-checkconf -p
options {
	bindkeys-file "/etc/bind/keys/dnssec/bind.keys";
	blackhole {
		"bogon";
	};
	directory "/var/cache/bind";
	dump-file "/var/log/named/named.dump";
	interface-interval 0;
	managed-keys-directory "/etc/bind/keys/managed";
	memstatistics-file "/var/log/named/named.memstats";
	recursing-file "/var/log/named/named.recursing";
	statistics-file "/var/log/named/named.stats";
	allow-query-cache {
		"loopback";
		"physical_interfaces";
	};
	allow-query-cache-on {
		"loopback";
		"physical_interfaces";
	};
	allow-recursion {
		"loopback";
		"physical_interfaces";
	};
	allow-recursion-on {
		"loopback";
		"physical_interfaces";
	};
	dnssec-lookaside auto;
	dnssec-validation auto;
	minimal-responses yes;
	allow-query {
		"any";
	};
	allow-query-on {
		"loopback";
		"physical_interfaces";
	};
	allow-transfer {
		"loopback";
		"physical_interfaces";
		"slaves";
	};
	notify no;
	zone-statistics yes;
};


view "default" in {
	match-clients {
		"any";
	};
};

view "chaos" chaos {
	match-clients {
		"any";
	};
	zone "." {
		type hint;
		file "/dev/null";
	};
	zone "bind" {
		type master;
		file "/srv/dns/zones/system/db.bind";
	};
	zone "server" {
		type master;
		file "/srv/dns/zones/system/db.server";
	};
	allow-query-cache {
		"none";
	};
	allow-query-cache-on {
		"none";
	};
	allow-recursion {
		"none";
	};
	allow-recursion-on {
		"none";
	};
	dnssec-enable no;
	dnssec-validation no;
	allow-query {
		"loopback";
		"physical_interfaces";
	};
	allow-query-on {
		"loopback";
		"physical_interfaces";
	};
	allow-transfer {
		"none";
	};
};

More information about the bind-users mailing list