Question about managed-keys-zone

Jeremy C. Reed jreed at isc.org
Fri Apr 8 13:36:48 UTC 2016 

On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:


> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 

Unrelated to your problem, but the --enable-newstats configure switch is 
not used for BIND 9.10.

> 1. Cannot seem to start named and it seems that it is looking for some 
> keys to validation locally.

(I reordered your email some:)

> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open 
> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not 
> found
> Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: file not 
> found
> Apr 7 15:15:32 cfdnsquar01 named[37952]: loading configuration: file 
> not found
> Apr  7 15:15:32 cfdnsquar01 named[37952]: exiting (due to fatal error)

Your named cannot start due to logging configuration. You didn't share 
your configuration elated to it, but does the directory
/usr/local/named-jail9.10.3P4/var/adm/ exist?

 
> I believe managed-key-zone validation is by default enabled in 
> Bind......is there an option that I can use in named.conf file to 
> disable that so that it does not look for the key......I guess this is 
> just a self-validation on the master itself and has nothing to do with 
> DNSSEC signing as it seems I am not even able to get the named up...

Yes, it is unrelated.

> I guess question is do I have an option that I can specify such that 
> it will not look for self-validation keys at all so that I do not have 
> to deal with rndc.key and rndc.conf or is this something I cannot get 
> by with when I use "views" ? Or am I not understanding this properly?

The rndc keys (used for connecting to the control interface) are 
unrelated to the keys used with DNSSEC.  But for operations it is a good 
idea. See the ARM and/or rndc-confgen manpage about generating the rndc 
configuration.

Let's get your named startup working first before we work on your goal. 
(If I understand correctly, you want named to serve internally unsigned 
zones, an external appliance will sign the zones, and then named can 
then serve the signed zones publicly.)

More information about the bind-users mailing list