hi-
i'm experimenting with dnssec validation for the first time, and am having some
trouble. the two culprits so far seem to be dnssec-lookaside and/or a view i
have for the chaos class. if both are active, named doesn't start, creates a
core file, and logs the following:
27-Feb-2011 18:31:20.349 general: info: managed-keys-zone ./IN/external: loaded
serial 5
27-Feb-2011 18:31:20.350 general: info: zone bind/CH/external-chaos: loaded
serial 2009113000
27-Feb-2011 18:31:20.350 general: error: managed-keys-zone ./CH/external-chaos:
loading from master file
/etc/bind/keys/managed/466ec7d86eeb6bcae696bb9ed82824f344579a6725854730827076b7f5f7f3c5.mkeys
failed: file not found
27-Feb-2011 18:31:20.350 general: critical: rdata/generic/keydata_65533.c:222:
REQUIRE(keydata->common.rdclass == rdclass) failed, back trace
27-Feb-2011 18:31:20.350 general: critical: #0 0x29f290 in ??
27-Feb-2011 18:31:20.350 general: critical: #1 0x126773 in ??
27-Feb-2011 18:31:20.350 general: critical: #2 0x810276 in ??
27-Feb-2011 18:31:20.350 general: critical: #3 0x8115b9 in ??
27-Feb-2011 18:31:20.350 general: critical: #4 0x8951d8 in ??
27-Feb-2011 18:31:20.350 general: critical: #5 0x895d39 in ??
27-Feb-2011 18:31:20.350 general: critical: #6 0x897a24 in ??
27-Feb-2011 18:31:20.351 general: critical: #7 0x2bd19a in ??
27-Feb-2011 18:31:20.351 general: critical: #8 0x2bd400 in ??
27-Feb-2011 18:31:20.351 general: critical: #9 0x1492cb in ??
27-Feb-2011 18:31:20.351 general: critical: #10 0x1c5cc9 in ??
27-Feb-2011 18:31:20.351 general: critical: #11 0x9d769e in ??
27-Feb-2011 18:31:20.351 general: critical: exiting (due to assertion failure)
bind appears to generate the desired files for two of the views, but not for
the chaos view:
>l /etc/bind/keys/managed/
total 16K
-rw-r--r-- 1 bind bind 1.2K 2011-02-27 18:49
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
-rw-r--r-- 1 bind bind 2.6K 2011-02-27 18:50
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl
-rw-r--r-- 1 bind bind 1.2K 2011-02-27 18:49
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
-rw-r--r-- 1 bind bind 2.6K 2011-02-27 18:50
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl
if i comment out dnssec-lookaside, or the chaos view, things seem to work ok.
i'm wondering what i can do to further diagnose what is happening. below is my
configuration, with the (presumably) uninteresting bits removed. i'm using
9.7.1, courtesy of ubuntu 10.10.
options {
bindkeys-file "/etc/bind/keys/dnssec/bind.keys";
blackhole {
"bogon";
};
directory "/var/cache/bind";
dump-file "/var/log/named/named.dump";
interface-interval 0;
listen-on-v6 {
::1/128;
};
managed-keys-directory "/etc/bind/keys/managed";
memstatistics-file "/var/log/named/named.memstats";
recursing-file "/var/log/named/namedrecursing";
statistics-file "/var/log/named/named.stats";
allow-query-cache-on {
"localhost";
"private_lan";
};
allow-recursion {
"localhost";
"private_lan";
};
allow-recursion-on {
"localhost";
"private_lan";
};
dnssec-lookaside "auto" ;
minimal-responses yes;
allow-transfer {
"localhost";
"slaves";
};
zone-statistics yes;
};
view "internal" in {
match-clients {
"localhost";
"private_lan";
};
zone "example.com" {
type master;
file "/var/lib/bind/internal/example.com";
allow-update {
key "ddns-key-1";
};
};
};
view "external" in {
match-clients {
"any";
};
zone "example.com" {
type master;
file "/etc/bind/zones/external/example.com";
};
view "external-chaos" chaos {
match-clients {
"any";
};
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/zones/system/db.bind";
};
allow-query {
"localhost";
};
allow-transfer {
"none";
};
};
regards
-ben thielsen
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
