dnssec validation, managed keys, and chaos view

Mon Feb 28 19:17:45 UTC 2011

On 2011.02.28 00.20, Evan Hunt wrote:
>> if i comment out dnssec-lookaside, or the chaos view, things seem to work
>> ok.  i'm wondering what i can do to further diagnose what is happening.
>> below is my configuration, with the (presumably) uninteresting bits
>> removed.  i'm using 9.7.1, courtesy of ubuntu 10.10.
>
> Try putting "dnssec-lookaside auto;" into all the non-chaos view
> stanzas separately, and leaving it out of the chaos one.

even with dnssec-lookaside auto; only in the non-chaos view stanzas, it 
seems to still want to do something relating to the chaos view:

28-Feb-2011 14:12:44.702 general: info: managed-keys-zone ./IN/internal: 
loaded serial 2
28-Feb-2011 14:12:44.703 general: info: zone 
5.0.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa/IN/external: loaded serial 
2010061300
28-Feb-2011 14:12:44.703 general: info: zone 
1.4.2.c.0.7.4.0.1.0.0.2.ip6.arpa/IN/external: loaded serial 2010061300
28-Feb-2011 14:12:44.705 general: info: zone bitrate.net/IN/external: 
loaded serial 2010061300
28-Feb-2011 14:12:44.706 general: info: zone dipswitch.net/IN/external: 
loaded serial 2010121001
28-Feb-2011 14:12:44.706 general: info: zone 
groundnoise.net/IN/external: loaded serial 2010061301
28-Feb-2011 14:12:44.706 general: info: zone sjva1991.org/IN/external: 
loaded serial 2010061300
28-Feb-2011 14:12:44.707 general: info: zone thielsen.org/IN/external: 
loaded serial 2010061300
28-Feb-2011 14:12:44.784 general: info: managed-keys-zone ./IN/external: 
loaded serial 8
28-Feb-2011 14:12:44.784 general: info: zone bind/CH/chaos: loaded 
serial 2009113000
28-Feb-2011 14:12:44.784 general: error: managed-keys-zone ./CH/chaos: 
loading from master file 
/etc/bind/keys/managed/5d5bddb577102d0a960bcf6fea9050c10fe5e9feddcb5c2170ccab872db9ee87.mkeys 
failed: file not found
28-Feb-2011 14:12:44.785 general: critical: 
rdata/generic/keydata_65533.c:222: REQUIRE(keydata->common.rdclass == 
rdclass) failed, back trace
28-Feb-2011 14:12:44.785 general: critical: #0 0x424290 in ??
28-Feb-2011 14:12:44.785 general: critical: #1 0x119773 in ??
28-Feb-2011 14:12:44.785 general: critical: #2 0xee4276 in ??
28-Feb-2011 14:12:44.785 general: critical: #3 0xee55b9 in ??
28-Feb-2011 14:12:44.785 general: critical: #4 0xf691d8 in ??
28-Feb-2011 14:12:44.785 general: critical: #5 0xf69d39 in ??
28-Feb-2011 14:12:44.785 general: critical: #6 0xf6ba24 in ??
28-Feb-2011 14:12:44.785 general: critical: #7 0x44219a in ??
28-Feb-2011 14:12:44.785 general: critical: #8 0x442400 in ??
28-Feb-2011 14:12:44.785 general: critical: #9 0x13c2cb in ??
28-Feb-2011 14:12:44.785 general: critical: #10 0xdb6cc9 in ??
28-Feb-2011 14:12:44.785 general: critical: #11 0x7d869e in ??
28-Feb-2011 14:12:44.785 general: critical: exiting (due to assertion 
failure)


modified config:

/etc/bind >named-checkconf -p
options {
	bindkeys-file "/etc/bind/keys/dnssec/bind.keys";
	blackhole {
		"bogon";
	};
	directory "/var/cache/bind";
	dump-file "/var/log/named/named.dump";
	interface-interval 0;
	listen-on-v6 {
		::1/128;
	};
	managed-keys-directory "/etc/bind/keys/managed";
	memstatistics-file "/var/log/named/named.memstats";
	recursing-file "/var/log/named/namedrecursing";
	statistics-file "/var/log/named/named.stats";
	allow-query-cache-on {
		"localhost";
		"private_lan";
	};
	allow-recursion {
		"localhost";
		"private_lan";
	};
	allow-recursion-on {
		"localhost";
		"private_lan";
	};
	minimal-responses yes;
	allow-transfer {
		"localhost";
		"slaves";
	};
	zone-statistics yes;
};

view "internal" in {
	match-clients {
		"localhost";
		"private_lan";
	};

	zone "example.com" {
		type master;
		file "/var/lib/bind/internal/example.com";
		allow-update {
			key "ddns-key-1";
		};
	};
	dnssec-lookaside "auto" ;
};

view "external" in {
	match-clients {
		"any";
	};
	zone "example.com" {
		type master;
		file "/etc/bind/zones/external/example.com";
	};
	dnssec-lookaside "auto" ;
};
view "chaos" chaos {
	match-clients {
		"any";
	};
	zone "." {
		type hint;
		file "/dev/null";
	};
	zone "bind" {
		type master;
		file "/etc/bind/zones/system/db.bind";
	};
	allow-query {
		"localhost";
	};
	allow-transfer {
		"none";
	};
};