Stop of logging of No Valid Signature Found
Robert Moskowitz
rgm at htt-consult.com
Tue Feb 26 04:25:19 UTC 2013
On 02/25/2013 09:36 PM, Mark Andrews wrote:
> In message <512C18EB.2050304 at htt-consult.com>, Robert Moskowitz writes:
>> On 02/25/2013 08:38 PM, Mark Andrews wrote:
>>> In message <512C1009.4060404 at htt-consult.com>, Robert Moskowitz writes:
>>>>>>>> dnssec-enable yes;
>>>>>>>> dnssec-validation yes;
>>>>>> digging back in the archive here, I find out this should be
>>>>>>
>>>>>> dnssec-validation auto;
>>>>> Actually it can be either. It's all a matter of how you want to
>>>>> setup your trust anchors. For private root zones it is absolutely
>>>>> the wrong thing to do.
>>>> I got this from some old messages from you on the subject of "no valid
>>>> signature".
>>>>
>>>> Perhaps tieing into my using the builtin root hints rather than
>>>> explicitly including a root.hint stub?
>>>>
>>>> Like the other person, once I changed from 'yes' to 'auto' I stopped
>>>> logging these messages so I ASSuME that now all those zones are being
>>>> validated.
>>>>
>>>> No private root zones here. At least that I know of!
>>> dnssec-validation auto; adds a implicit managed-keys clause for the
>>> root. If you just do dnssec-validation yes; you need to add a
>>> explict trusted-keys / managed-keys clause.
>>>
>>> managed-keys {
>>> . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOy
>> QbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVP
>> QuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apA
>> zvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ
>> 57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
>>> };
>> Yes, I wondered about this as I have the include:
>>
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>> which contains:
>>
>> managed-keys {
>> # ISC DLV: See https://www.isc.org/solutions/dlv for details.
>> # NOTE: This key is activated by setting "dnssec-lookaside auto;"
>> # in named.conf.
>> dlv.isc.org. initial-key 257 3 5
>> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
>> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
>> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
>> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
>> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
>> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
>> TDN0YUuWrBNh";
>>
>> # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
>> # for current trust anchor information.
>> # NOTE: This key is activated by setting "dnssec-validation auto;"
>> # in named.conf.
>> . initial-key 257 3 8
>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
>> QxA+Uk1ihz0=";
>> };
>>
>> So why did this not work?
> Because it is only processed in the "auto" cases and only the approritate
> trusted keys are extracted.
>
> bindkeys-file "/etc/named.iscdlv.key";
>
> is not the same as
>
> include "/etc/named.iscdlv.key";
Oops. That's what I get for copying the DNSSEC 'stuff' from the default
named.conf supplied by RHEL/Centos which looks like it is for a caching
server.
So should I change this to an include and put dnssec-validation back to yes?
>
>>> If you have islands of trust you will need to have managed/trusted
>>> keys for them. It is also a good idea to have managed/trusted keys
>>> for your internal zones so you are not dependent on external zones
>>> for internal lookups when your internet connection goes down.
>> I know I need to tackle my internal view. After I put up the new
>> server, I built a test server for only a few internal systems to use. I
>> will work on my internal view there, and then bring that over to my main
>> server.
>>
>> One step at a time. Or maybe two or three?
More information about the bind-users
mailing list