On Dec 19 2010, Torinthiel wrote:
Hello everyone,
I've recently updated bind to version 9.7.2_p3.
I've been using DLV before that, specifically dlv.isc.org, with two
entries in named.conf
options {
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
trusted-keys{
[sometext]
};
and it was working fine.
However, on update I've wanted to try managed-keys. so changed
trusted-keys to managed-keys (and added initial key of course)
so the relevant part of config file now looks like this:
managed-keys {
dlv.isc.org. initial-key 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
this has caused problem, every query caused error, no answers and these
log entries:
Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
DNSKEY: must be secure failure, . is under DLV (startfinddlvsep)
Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53
One suspects some transcription error in the trust anchor, but
I admit I can't find one in the copy above.
After some googling and finding
http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
and even better
http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.
"dnssec-lookaside auto" just imports the managed-keys statement from
[source-tree]/bind.keys. Compare that carefully with your explicit
managed-keys statement.
We are using managed-keys with explicit entries (not auto) for dlv.isc.org
and for the root zone (it's strange that you don't mention a trust anchor
for the root zone), and it works fine (modulo the remarks at the end: just
as well as a trusted-keys statement would, anyway).
However, this presents the following problems to me:
- managed keys does not work as advertised:
In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
said that managed-keys is similar to trusted-keys, but where key in
trusted-keys is static and trusted as long as it's in config file, key
in managed-keys is trusted only once, to download this key and store it
in trusted database. This proves to be wrong, as it's not trusted even
that one time.
- I don't seem to be able to switch to another DLV registry.
dnssec-lookaside accepts only auto, so I have no choice but to use
built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
Can anyone shed some light if this is my mistake, not having something
in configuration, or a general bind error?
You are doing something wrong, as it works for the rest of us.
However ... when all is said and done, using managed-keys rather than
trusted-keys has very limited value at the moment, if you are only
going to it for dlv.isc.org and the root (and of course you should
*not* use it for any trust anchor for which RFC 5011 compatible
rollovers have not been promised). Neither is likely to be rolled
over without a lot of publicity, and the managed-keys code still
has the bug described at
https://lists.isc.org/pipermail/bind-users/2010-October/081399.html
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
