Testing RFC 5011 key roll

Edward Lewis edward.lewis at icann.org
Fri Apr 17 14:46:16 UTC 2015 

I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems.  One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC 5011 rolls in BIND.

But I bet my problem is that I haven't included yet-another configuration
statement.

I have unbound working, but can't get bind to give me an 'ad' bit, so I'm
certain that the authoritative server side is set up right.

What is puzzling is that I don't see any (relevant) errors when starting
up my named instance.

I'm running named in user space, off port 1053.  So the "permission
denied" parts are acceptable.

$ named -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
17-Apr-2015 10:17:02.083 built with '--with-openssl=/usr/local/ssl'
'STD_CDEFINES=-DDIG_SIGCHASE=1'
17-Apr-2015 10:17:02.083
----------------------------------------------------
17-Apr-2015 10:17:02.083 BIND 9 is maintained by Internet Systems
Consortium,
17-Apr-2015 10:17:02.083 Inc. (ISC), a non-profit 501(c)(3) public-benefit
17-Apr-2015 10:17:02.083 corporation.  Support and training for BIND 9 are
17-Apr-2015 10:17:02.083 available at https://www.isc.org/support
17-Apr-2015 10:17:02.083
----------------------------------------------------
17-Apr-2015 10:17:02.083 found 4 CPUs, using 4 worker threads
17-Apr-2015 10:17:02.083 using 2 UDP listeners per interface
17-Apr-2015 10:17:02.084 using up to 4096 sockets
17-Apr-2015 10:17:02.091 loading configuration from
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf'
17-Apr-2015 10:17:02.092 reading built-in trusted keys from file
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key'
17-Apr-2015 10:17:02.092 using default UDP/IPv4 port range: [49152, 65535]
17-Apr-2015 10:17:02.092 using default UDP/IPv6 port range: [49152, 65535]
17-Apr-2015 10:17:02.093 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.093 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.093 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.093 listening on IPv4 interface lo0, 127.0.0.1#1053
17-Apr-2015 10:17:02.094 generating session key for dynamic DNS
17-Apr-2015 10:17:02.094 couldn't mkdir '/var/run/named': Permission denied
17-Apr-2015 10:17:02.094 could not create /var/run/named/session.key
17-Apr-2015 10:17:02.094 failed to generate session key for dynamic DNS:
permission denied
17-Apr-2015 10:17:02.094 sizing zone task pool based on 1 zones
17-Apr-2015 10:17:02.096 using built-in root key for view recursive
17-Apr-2015 10:17:02.097 set up managed keys zone for view recursive, file
'21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys'
17-Apr-2015 10:17:02.097 automatic empty zone: ...yadda...yadda...yadda...
17-Apr-2015 10:17:02.101 command channel listening on 127.0.0.1#1953
17-Apr-2015 10:17:02.101 not using config file logging statement for
logging due to -g option
17-Apr-2015 10:17:02.101 listening on IPv6 interfaces, port 53
17-Apr-2015 10:17:02.101 could not listen on UDP socket: permission denied
17-Apr-2015 10:17:02.101 listening on all IPv6 interfaces failed
17-Apr-2015 10:17:02.101 managed-keys-zone/recursive: loaded serial 5
17-Apr-2015 10:17:02.112 all zones loaded
17-Apr-2015 10:17:02.112 running

$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf

options
{
	dnssec-enable yes;
	dnssec-validation auto;
	bindkeys-file 
"/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key";
	pid-file none;
        dump-file "5011logs/cache_dump.db";
        statistics-file "5011logs/named_stats.txt";
        memstatistics-file "5011logs/named.memstats";
	zone-statistics yes;
	hostname "foobar";
	recursion yes;
	notify no;
	auth-nxdomain no;
	listen-on port 1053 { 127.0.0.1; };
};

managed-keys {
.	 initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT
P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9
m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM=";
};

view "recursive" IN {
    match-clients { any; };
    allow-query   { any; };
    recursion yes;

    allow-recursion { any; };

    // prime the server with the RFC5011 Key roll server.
    zone "." {
       type hint;
       file "keyroller-db.root";
    };    

};  // End of recursive view.

$ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key

managed-keys {
	. initial-key 257 3 8
"AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8
F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts
9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT
P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9
m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM=";
};

More information about the bind-users mailing list