Testing RFC 5011 key roll
Edward Lewis
edward.lewis at icann.org
Fri Apr 17 14:46:16 UTC 2015
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems. One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC 5011 rolls in BIND.
But I bet my problem is that I haven't included yet-another configuration
statement.
I have unbound working, but can't get bind to give me an 'ad' bit, so I'm
certain that the authoritative server side is set up right.
What is puzzling is that I don't see any (relevant) errors when starting
up my named instance.
I'm running named in user space, off port 1053. So the "permission
denied" parts are acceptable.
$ named -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 built with '--with-openssl=/usr/local/ssl'
'STD_CDEFINES=-DDIG_SIGCHASE=1'
17-Apr-2015 10:17:02.083
----------------------------------------------------
17-Apr-2015 10:17:02.083 BIND 9 is maintained by Internet Systems
Consortium,
17-Apr-2015 10:17:02.083 Inc. (ISC), a non-profit 501(c)(3) public-benefit
17-Apr-2015 10:17:02.083 corporation. Support and training for BIND 9 are
17-Apr-2015 10:17:02.083 available at https://www.isc.org/support
17-Apr-2015 10:17:02.083
----------------------------------------------------
17-Apr-2015 10:17:02.083 found 4 CPUs, using 4 worker threads
17-Apr-2015 10:17:02.083 using 2 UDP listeners per interface
17-Apr-2015 10:17:02.084 using up to 4096 sockets
17-Apr-2015 10:17:02.091 loading configuration from
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf'
17-Apr-2015 10:17:02.092 reading built-in trusted keys from file
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key'
17-Apr-2015 10:17:02.092 using default UDP/IPv4 port range: [49152, 65535]
17-Apr-2015 10:17:02.092 using default UDP/IPv6 port range: [49152, 65535]
17-Apr-2015 10:17:02.093 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.093 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.093 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.093 listening on IPv4 interface lo0, 127.0.0.1#1053
17-Apr-2015 10:17:02.094 generating session key for dynamic DNS
17-Apr-2015 10:17:02.094 couldn't mkdir '/var/run/named': Permission denied
17-Apr-2015 10:17:02.094 could not create /var/run/named/session.key
17-Apr-2015 10:17:02.094 failed to generate session key for dynamic DNS:
permission denied
17-Apr-2015 10:17:02.094 sizing zone task pool based on 1 zones
17-Apr-2015 10:17:02.096 using built-in root key for view recursive
17-Apr-2015 10:17:02.097 set up managed keys zone for view recursive, file
'21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys'
17-Apr-2015 10:17:02.097 automatic empty zone: ...yadda...yadda...yadda...
17-Apr-2015 10:17:02.101 command channel listening on 127.0.0.1#1953
17-Apr-2015 10:17:02.101 not using config file logging statement for
logging due to -g option
17-Apr-2015 10:17:02.101 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.101 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.101 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.101 managed-keys-zone/recursive: loaded serial 5
17-Apr-2015 10:17:02.112 all zones loaded
17-Apr-2015 10:17:02.112 running
$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf
options
{
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file
"/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key";
pid-file none;
dump-file "5011logs/cache_dump.db";
statistics-file "5011logs/named_stats.txt";
memstatistics-file "5011logs/named.memstats";
zone-statistics yes;
hostname "foobar";
recursion yes;
notify no;
auth-nxdomain no;
listen-on port 1053 { 127.0.0.1; };
};
managed-keys {
. initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT
P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9
m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM=";
};
view "recursive" IN {
match-clients { any; };
allow-query { any; };
recursion yes;
allow-recursion { any; };
// prime the server with the RFC5011 Key roll server.
zone "." {
type hint;
file "keyroller-db.root";
};
}; // End of recursive view.
$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key
managed-keys {
. initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT
P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9
m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM=";
};
More information about the bind-users
mailing list