bind 9.7.4 on centos6

Carl Byington Sun, 04 Sep 2011 12:34:22 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am trying to build bind 9.7.4 from source on centos6, starting with a
stock fedora14 source rpm. It seems to be working, but won't validate
against the root key, but it will against the dlv.isc.org keys.



dig org ns +dnssec @localhost
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

Note no 'ad' flag in the response.


dig isc.org ns +dnssec
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 13


/etc/named.isc.keys contains:
managed-keys {
    .            initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
    dlv.isc.org. initial-key 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};


which seems to be correct. But when named starts, it logs:

Sep  4 11:59:26 ns named[19409]: set up managed keys zone for view
normal, file '/var/named/dynamic/317b32c143692b9939c197f6a5df54f9698df9a
4882fe8bf19608968662be4fa.mkeys'

And that mkeys files only contains a key for dlv.isc.org, and no managed
key for .

Perhaps this version does not understand algorithm 8 (sha256?), but dig
seems to like it:

dig . dnskey | grep '^\.' >/tmp/root.key
dig org ns +sigchase +trusted-key=/tmp/root.key

output ends with
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

So it seems that dig can validate, but bind fails to do so:

 cat /tmp/root.key
.                       165546  IN      DNSKEY  256 3 8
AwEAAcy4Eo1P5B3ut9Vm9ZP92JnCFSALJqdhO5fOq1UsseYaiMFqgDH6
Y40iqDw6JmpkmhiJLW6HGj//JLQXAJ+k4EcQ9tlDJqumEe7OJMU6KpcK
s6qI4lugy8j/v6DxDlZdAPASbKmoGx1oceRKzr/UdwyB1G5aIEtwK7/D QFrn3zRj
.                       165546  IN      DNSKEY  257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

And that looks like the same key as in the /etc/named.iscdlv.key file.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFOY88vL6j7milTFsERAqEwAJ456o3eEHoCSby04MtlbiAyNXgIbACghZsy
Zs5XuI81n7knAvVYcI5+RhA=
=l41m
-----END PGP SIGNATURE-----


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind 9.7.4 on centos6

Reply via email to