dnssec-validation?

David Carvalho david at di.ubi.pt
Thu Apr 13 17:59:44 UTC 2023 

Hello and thank you for the reply.
Problem 1 - I'll have to investigate further.

As for problem 2 ... it's weird.
I was working on another thing and now I was checking permissions by your
suggestion, when I noticed the files have new timestamp from a while ago.
I compared the contents of the updated files with a previous backup and they
seem the same.

Tests such as https://dnssec-analyzer.verisignlabs.com/di.ubi.pt
also seem to be still fine. 

So, my conclusion is: 
Named changes the Kdi.ubi.pt** timestamps according to some criteria.

If I do a systemctl restart named-chroot or rdnc reload, the contents also
change (and according to a response I got earlier this is a bug solved in
version 9.16.30)
I've been told to upgrade to version 9.18 and I'm setting a test server to
do this. 
In the meantime, if there is a way to avoid the keys to be rewritten every
time I reconfigure and reload, I would stick with this version.

Regards
David



-----Original Message-----
From: Evan Hunt <each at isc.org> 
Sent: 13 April 2023 18:08
To: David Carvalho <david at di.ubi.pt>
Cc: bind-users at lists.isc.org
Subject: Re: dnssec-validation?

On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote:
> Problem number 1: Dnssec seems to be running on "di.ubi.pt", but 
> dnssec-validation still needs to be set to no; Will this cause troubles?
> Dns2 is set to auto and runs fine.

>From here, di.ubt.pt appears to be properly signed and everything's 
>working
from here. Turning off validation won't have any affect on that. Your only
problem is with local recursive service.

> Problem number 2: How can I avoid the key regeneration (using version
> 9.16.23) every named restart?

I'm not certain what you mean by key regeneration.

Taking a stab in the dark: Check that the working directory for named is
writable. If named can't write files, then it can't save trust anchor status
across restarts and it has to reinitialize each time.

If that doesn't turn out to be the problem, then can show me the relevant
lines from your log file so I can see what you're referring to by "key
regeneration"?

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list