In message <4d0e8340.9060...@data.pl>, Torinthiel writes:
> Hello everyone,
>
> I've recently updated bind to version 9.7.2_p3.
Upgraded from what?
> I've been using DLV before that, specifically dlv.isc.org, with two
> entries in named.conf
>
> options {
> dnssec-lookaside . trust-anchor dlv.isc.org.;
> };
> trusted-keys{
> [sometext]
> };
>
> and it was working fine.
> However, on update I've wanted to try managed-keys. so changed
> trusted-keys to managed-keys (and added initial key of course)
>
> so the relevant part of config file now looks like this:
>
> managed-keys {
> dlv.isc.org. initial-key 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
>
>
> this has caused problem, every query caused error, no answers and these
> log entries:
>
> Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
> DNSKEY: must be secure failure, . is under DLV (startfinddlvsep)
> Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving
> 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53
And what other errors were logged by named when it started?
> After some googling and finding
> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
> and even better
> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
>
> I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.
And the contents of /etc/bind.key are? Also the contents in the
chroot area if you are using chroot.
> However, this presents the following problems to me:
> - managed keys does not work as advertised:
> In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
> said that managed-keys is similar to trusted-keys, but where key in
> trusted-keys is static and trusted as long as it's in config file, key
> in managed-keys is trusted only once, to download this key and store it
> in trusted database. This proves to be wrong, as it's not trusted even
> that one time.
>
> - I don't seem to be able to switch to another DLV registry.
> dnssec-lookaside accepts only auto, so I have no choice but to use
> built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
>
> Can anyone shed some light if this is my mistake, not having something
> in configuration, or a general bind error?
>
> Regards,
> Torinthiel
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
