DNSSEC auto-dnssec issue bind-9.7.2-P3
Zbigniew Jasiński
szopen at nask.pl
Fri Jan 21 13:05:30 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 2011-01-21 11:23, Kalman Feher pisze:
> The only way I can replicate the behaviour is with dnssec-enable no or with
> an unsigned version of the zone in another view. Assuming you've not
> overlapped your views in such a way (it was a very contrived test), I think
> you'll need to provide a bit more information on your configuration.
>
> -options
> -relevant view statement
> -The zone statement (from the hashed file if you are using the new dynamic
> zones feature).
> -The zone itself
> -Query logs.
>
> Without the full dig output it is hard to see what is actually happening.
> I'd suggest including that as well.
>
> If you dig axfr or dig rrsig are the signatures present?
>
I've conducted test with 'auto-dnssec allow' and that works without any
single problem, than I just change this options to 'auto-dnssec
maintain' and odd things happen.
Didn't mentioned before but this named is working with SoftHSM. But like
I said no problems with 'auto-dnssec allow'.
this is zone conf:
zone "example" {
type master;
file "var/zone/example";
allow-update { loopback; };
allow-transfer { trusted; loopback; };
auto-dnssec maintain;
key-directory "var/keys/example";
};
named.conf:
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
};
acl trusted {
127.0.0.1;
172.16.7.5;
};
acl loopback {
127.0.0.1;
};
acl eth0 {
172.16.7.5;
};
options {
directory "/";
query-source address 172.16.7.5;
notify-source 172.16.7.5;
transfer-source 172.16.7.5;
port 53;
pid-file "var/run/named/named.pid";
session-keyfile "var/run/named/session.key";
listen-on {
loopback;
eth0;
};
listen-on-v6 { none; };
recursion no;
notify explicit;
allow-query { trusted; };
dnssec-enable yes;
dnssec-validation yes;
max-journal-size 100k;
random-device "/dev/urandom";
};
this is zone file:
$TTL 3600
example. SOA ns1.example. bugs.x.w.example. (
1292481908
7200
3600
734400
600
)
TXT "dnssec test"
NS ns1.example.
NS ns2.example.
$ORIGIN example.
ns1 A 127.0.0.3
ns2 A 127.0.0.4
a NS ns1.a
NS ns2.a
DS 23344 5 1 CECDDBFFD6A0C01F8D7E96C4BE31CB577433DD56
ns1.a IN A 127.0.0.1
ns2.a IN A 127.0.0.1
c NS ns1.c
c NS ns2.c
ns1.c IN A 127.0.0.5
ns2.c IN A 127.0.0.6
ai IN A 127.0.0.1
IN AAAA 0:0:0:0:0:0:0:1
xx IN A 127.0.0.1
IN AAAA 0:0:0:0:0:0:0:1
w IN A 127.0.0.1
*.w MX 10 ai
x.w MX 10 xx
x.y.w MX 10 xx
If I make query for RRSIG records, named is returning proper signatures.
for example for SOA record:
$ dig @127.0.0.1 example rrsig +short
SOA 10 1 3600 20110220123506 20110121113506 51587 example.
cVzWYkeTASPUiHv0DxFXpTsK4G1QkpS3sZ1jXmDCDv+EaYUs2C/kRlD9
<CUT>
same with AXFR, and same for zone file.
- --
regards
zbigniew jasinski
[SYStem OPerator]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNOYSaAAoJEH26UYiRhe/gNmcQALSiNOVoKWBpA/GV1WiarmDt
b+G6NZPBOtXXW4U90XDqL211TUaeXgLfwesRfIERraDxOTtCPjTx9npIoMQMLrWk
F91slmf8thgLpPzFqwe2FxMoagL/HdQ8fXrzHmdMU5Lsg8gBalJyVKL56Hozlp9R
n5LZy8+QBSJHuJKXFIZcBPPCdUW8dEJcONve01ik09gHbwcQzCuqwY7S5vYrDW2s
fZhYQUCvjdBpmf3uKH1yXiqdtUtUerZN3fCB6r4cGIkzYk98iEj5M6fngsBl49vt
SijzWbQftd0ThSxHPcEiuSom4pAuFlxN1O7Al8laIRwgme5wvtUeN+PA8sxr7FWl
cnUC///yLnYJNTJBnbIY0wiWsSTU9H4LU42tnesAKJaIBmaOR9w6QgxLs+E+pyKM
M3pnC//ZqxGirnV9YetV6mqfch23Y08yWcmjTNI8QytEoXPMMaGXyh4IYJFAiMaz
SxV5B9Be1KP1DxO2wyHwDEwrZzIkS5sl1iiaoyb+G0d9dWjuvlSmkDSZA43nYXGS
cn91vMLqUHpYCYVIy3p8w62y7+jOPrIM94vsgONjPijqlB0DZY2JsMP4q2StHUui
cYEqw5NDoCGpxPbnlMJF8FmFmv9R7r+yTPI/O5oR7I4sbhxti3eP0/oDLTlpZDfx
qF6n+qmGBcLll7mn4pUy
=dt7w
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list