Testing RFC 5011 key roll

Edward Lewis edward.lewis at icann.org
Mon Apr 20 18:42:42 UTC 2015 

Thanks to Evan for the last look and thanks to Jan-Piet for the suggestion
to go to 9.10.2.

Being that I'm working on a laptop (hence on on over the weekend) I've had
to recreate the environment today.  I'm a bit more puzzled now.

I've built and installed BIND 9.10.2.  Using http://keyroll.systems,
there's a page showing the BIND config and it seems to have the current
key there.  (I thought the page was static.)  I guess I'm just a bit
surprised, anyway, I have that key in place.

And - I've also updated by unbound, I do get an 'ad' bit for "./IN/SOA".
(I need to figure out why I needed to update unbound - perhaps it is that
I'm on a laptop and not a 24x7 machine, but I can get it to validate.)

Ugly details below:

This time I do see an error upon startup:

$ named -g -c rfc5011.conf
20-Apr-2015 14:34:18.432 starting BIND 9.10.2 -g -c rfc5011.conf
20-Apr-2015 14:34:18.432 built with '--with-openssl=/usr/local/ssl'
'STD_CDEFINES=-DDIG_SIGCHASE=1'
20-Apr-2015 14:34:18.432
----------------------------------------------------
20-Apr-2015 14:34:18.432 BIND 9 is maintained by Internet Systems
Consortium,
20-Apr-2015 14:34:18.432 Inc. (ISC), a non-profit 501(c)(3) public-benefit
20-Apr-2015 14:34:18.432 corporation.  Support and training for BIND 9 are
20-Apr-2015 14:34:18.432 available at https://www.isc.org/support
20-Apr-2015 14:34:18.432
----------------------------------------------------
20-Apr-2015 14:34:18.432 found 4 CPUs, using 4 worker threads
20-Apr-2015 14:34:18.432 using 2 UDP listeners per interface
20-Apr-2015 14:34:18.433 using up to 4096 sockets
20-Apr-2015 14:34:18.439 loading configuration from
'/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf'
20-Apr-2015 14:34:18.439 reading built-in trusted keys from file
'/etc/bind.keys'
20-Apr-2015 14:34:18.439 using default UDP/IPv4 port range: [49152, 65535]
20-Apr-2015 14:34:18.440 using default UDP/IPv6 port range: [49152, 65535]
20-Apr-2015 14:34:18.440 listening on IPv6 interface lo0, ::1#1053
20-Apr-2015 14:34:18.442 listening on IPv4 interface lo0, 127.0.0.1#1053
20-Apr-2015 14:34:18.442 generating session key for dynamic DNS
20-Apr-2015 14:34:18.443 sizing zone task pool based on 1 zones
20-Apr-2015 14:34:18.445 set up managed keys zone for view recursive, file
'21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys'
20-Apr-2015 14:34:18.445 automatic empty zone: view recursive:
10.IN-ADDR.ARPA...yadda...yadda...yadda...
20-Apr-2015 14:34:18.449 command channel listening on 127.0.0.1#1953
20-Apr-2015 14:34:18.449 not using config file logging statement for
logging due to -g option
20-Apr-2015 14:34:18.449 managed-keys-zone/recursive: loaded serial 3
20-Apr-2015 14:34:18.460 all zones loaded
20-Apr-2015 14:34:18.460 running
20-Apr-2015 14:34:18.554 validating ./DNSKEY: unable to find a DNSKEY
which verifies the DNSKEY RRset and also matches a trusted key for '.'
20-Apr-2015 14:34:18.554 no valid KEY resolving './DNSKEY/IN':
204.42.252.20#53
20-Apr-2015 14:34:18.554 broken trust chain resolving './NS/IN':
204.42.252.20#53

My rfc5011.conf file is:

$ cat rfc5011.conf 
options
{
	dnssec-enable yes;
	dnssec-validation yes;
	pid-file none;
	session-keyfile "session.key";
	notify no;
	listen-on port 1053 { 127.0.0.1; };
	listen-on-v6 port 1053 { ::1; };
};

key "rndc-key"
{
      algorithm hmac-md5;
      secret "cuxAvCYntho2ia6jhDM4yw==";
};

controls
{
      inet 127.0.0.1 port 1953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};

managed-keys {
      . initial-key 257 3 8
"AwEAAaTCfs92ag0oZpg/uzN7NcN2aIXZxR7Q1XOin8eEei+QPR0dXrI7
DskSUNVBsHMS6piMCTQRqFHq1TwY19tWiJJf0meZWRMWTOrzyFd/Tioa
KwWTga0bNN09dciQmNxJyfnHDNfqJ8k3LeQz8WHQzc9QC0x8cOmT1IG7
yn+0S6QFl4/G6uwBxJ3ejxdiygJQKa8i3YAv3EEKP066YuRki5h1yz93
P9UEyU2E2MOByqMJtgpaBPbOX5riTdaTu5gXKnoJyag//545+Z43+Y6u
+wQzfnFFhWHzQiH8Yl3y4qNuBVXSvlmg9XU4LhT7EqTA+v5v/O2Humkm
KqetoGkEbJ0=";
};

view "recursive" IN {
    match-clients { any; };
    allow-query   { any; };
    recursion yes;

    allow-recursion { any; };

    // prime the server with the RFC5011 Key roll server.
    zone "." {
       type hint;
       file "keyroller-db.root";
    };    

};  // End of recursive view.


The current dig "fake-. dnskey" is:


$ dig @204.42.252.20 . dnskey

; <<>> DiG 9.10.2 <<>> @204.42.252.20 . dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16270
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			3600	IN	DNSKEY	385 3 8
AwEAAb1tBF4Fbnx8Wx4dDpoMbeKpId70bZyWRzz07uORb5ZrbgQfy8u1
sFH9k3kNsisc09CoG/aSGIsrEz0OueGHFDbwSWdaIwVFIpNRBwGQjbvf
pzod0HTfSo2Ka7oFBuc7Sm5CSjbxcXJ28FW9BCn/SboI1bw08R322rEy
oA1rwc8tDpyApUXP57fufe8Gd6X+nsT0ET+gUaGXx5R/zuusbfsXGrMp
d3GM2A1yDVylHs113W1C9xA2XW+BKtIlUWBoCwGuOQtbXEa5R0Q70LTN
MuV+EZqjo0Ko34qNQGKvOVOkUAVNc5IsQjrub6BJ2fCylcq/UmhdbUSY nlwkXjOZrNk=
.			3600	IN	DNSKEY	256 3 8
AwEAAbe3RGCTHgumosDsXiQ3YLSEfuEMYx6PuXV4zAt4UiT60YTzUWRe
g5sfNSmPJsGvgiF6ge2rJpU3TdegFe06QWt3C3ZCVDL6RdCblbyPa9nH
QxurAn6lXmRz7wLETJ0l8EIyWsAC7kHkIIrE1g2LzbxdIBZbLfVAsMq2
HCL57eu+6O4tepDMHqODEaMMCi0aZqzJo/J+wtz+yr9JuDcHgimeAE+F
gpKzN6PBYzvvNEFjW0jOtfmLC1Gwmu4TgipYdZV/zUPFrLmGPRJpc8HW
NEyuZgAArqUzwNzGG7s7fFonRvcmWJRX98vN/LNH/bneKiMFIKEChxM7 LxUfhWbSgv8=
.			3600	IN	DNSKEY	257 3 8
AwEAAaTCfs92ag0oZpg/uzN7NcN2aIXZxR7Q1XOin8eEei+QPR0dXrI7
DskSUNVBsHMS6piMCTQRqFHq1TwY19tWiJJf0meZWRMWTOrzyFd/Tioa
KwWTga0bNN09dciQmNxJyfnHDNfqJ8k3LeQz8WHQzc9QC0x8cOmT1IG7
yn+0S6QFl4/G6uwBxJ3ejxdiygJQKa8i3YAv3EEKP066YuRki5h1yz93
P9UEyU2E2MOByqMJtgpaBPbOX5riTdaTu5gXKnoJyag//545+Z43+Y6u
+wQzfnFFhWHzQiH8Yl3y4qNuBVXSvlmg9XU4LhT7EqTA+v5v/O2Humkm KqetoGkEbJ0=
.			3600	IN	DNSKEY	257 3 8
AwEAAcmhtOXL8JnuQfDX2qXxUsgHRtjYZo2SOu9JYtYpK8VpI1kBohWO
ns4fVXVyAnxQIfLBgt0zaeMiom7W03BjrAD8WX1nbKF+8MeFFrtNimGL
uwmBtEPhyWAQcp+fMWEOJaLLfbfp3wUaAhwbTOnWDco5L/BMsQSgR3js
a+qqSUdbtoEiQrMcmH526CxG87b1Xo/YIS5LdIbTrlXwfHYhodjv7uYv
DursdjEF/f6GNMy8VDZ6ow3jjgXzAgsPQDnPu7otAta6BpKXQyAd5eVf
8QxhM3rhOQr8x/bb7Md/VAiqBUu00KnCqpXK3TIrTvdO7n192GgyoZw6 tdSFn7ejzDM=

;; Query time: 45 msec
;; SERVER: 204.42.252.20#53(204.42.252.20)
;; WHEN: Mon Apr 20 14:36:41 EDT 2015
;; MSG SIZE  rcvd: 1128

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150420/85e63736/attachment.bin>

More information about the bind-users mailing list