Question about managed-keys-zone

Fri, 08 Apr 2016 05:48:08 -0700 

Hi

I am trying to do a simple proof of concept test for DNSSEC signing for our 
organization.

We are an agency under DOL and the plan is to use a DNSSECsigner appliance 
hosted at DOL to sign the zones so that we do not have to do DNSSEC key 
management.

So basically the configuration is from our DNS server we send unsigned zones to 
the DNSSECSIGNER appliance physically hosted at a different location it does 
the DNSSEC signing and sends the signed zones back to our master and we than 
present the DNSSEC signed zones for our zone to the world. All DNSSEC key 
management will be done by the DNSSECSIGNER appliance. Meaning  DNSSEC key 
management is not done by our agency.

Running 9.10.3P4 on Red Hat Linux 6.x

Was compiled using the following options.

Apr  7 15:15:32 cfdnsquar01 named[37952]: built with 
'--prefix=/usr/local/named-jail9.10.3P4' 
'--sysconfdir=/usr/local/named-jail9.10.3P4/etc' 
'--mandir=/usr/local/named-jail9.10.3P4/usr/man' 
'--bindir=/usr/local/named-jail9.10.3P4/usr/bin' 
'--sbindir=/usr/local/named-jail9.10.3P4/usr/sbin' 
'--libexecdir=/usr/local/named-jail9.10.3P4/usr/libexec' 
'--sharedstatedir=/usr/local/named-jail9.10.3P4/usr/shared' 
'--localstatedir=/usr/local/named-jail9.10.3P4/var' 
'--libdir=/usr/local/named-jail9.10.3P4/usr/lib' 
'--includedir=/usr/local/named-jail9.10.3P4/usr/include' 
'--with-randomdev=/dev/urandom' '--disable-static' '--with-openssl' 
'--disable-openssl-version-check' '--enable-ipv6' '--enable-fixed-rrset' 
'--enable-rrl' '--enable-largefile' '--enable-newstats' '--with-libxml2' 
'--enable-fullreport' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Relevant parts of Named.conf is as follows.


options {
        version "None";
        recursive-clients 2000;
        listen-on-v6 { any; };
        auth-nxdomain no;
        directory "/usr/named";
        check-names master ignore;
        check-names slave ignore;
        check-names response ignore;
        allow-transfer { 10.183.168.21; 10.183.168.22; 198.6.1.115; 
198.6.1.154;};
        allow-query { bls;};
        allow-recursion { bls;};
        allow-query-cache { bls;};
        empty-zones-enable no;
        masterfile-format text;
        interface-interval 0;
};


controls {
        inet 127.0.0.1 allow { localhost; };
};



view "unsigned" {
        zone "149.10.in-addr.arpa" {
                type master;
                file "/usr/named/test.rev";
          };

        match-clients { 10.1.1.1; };                               
------------------> DNSSEC appliance hosted at other place.
        zone "joe.com" {
                type master;
                file "/usr/named/testunsigned.hosts";
                also-notify { 10.1.1.1; };  ---------------------------------> 
DNSSEC appliance hosted at other place.
        };
};
view "signed" {
        match-clients { any; };
        zone "149.10.in-addr.arpa" {
              type master;
              file "/usr/named/test.rev";
              allow-query { any;};
       };
        zone "joe.com" {
                type slave;
                file "/usr/named/test.hosts";
                masters { 10.1.1.2; };                                
---------------------> DNSSEC appliance at hosted at other place.
                allow-query { any; };
        };
};


Problem,

1. Cannot seem to start named and it seems that it is looking for some keys to 
validation locally.

I believe managed-key-zone validation is by default enabled in Bind......is 
there an option that I can use in named.conf file to disable that so that it 
does not look for the key......I guess this is just a self-validation on the 
master itself and has nothing to do with DNSSEC signing as it seems I am not 
even able to get the named up...

I guess question is do I have an option that I can specify such that it will 
not look for self-validation keys at all so that I do not have to deal with 
rndc.key and rndc.conf or is this something I cannot get by with when I use 
"views" ? Or am I not understanding this properly?

If there is no option to disable the key check  can I just put the secret key 
generated ( looks like the log below has some keys )  in rdnc.key file  for 
self-validation will that work?

Any advice suggestions??  

Apr  7 15:15:32 cfdnsquar01 named[37952]: BIND 9 is maintained by Internet 
Systems Consortium,
Apr  7 15:15:32 cfdnsquar01 named[37952]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit 
Apr  7 15:15:32 cfdnsquar01 named[37952]: corporation.  Support and training 
for BIND 9 are 
Apr  7 15:15:32 cfdnsquar01 named[37952]: available at 
https://www.isc.org/support
Apr  7 15:15:32 cfdnsquar01 named[37952]: 
----------------------------------------------------
Apr  7 15:15:32 cfdnsquar01 named[37952]: adjusted limit on open files from 
4096 to 1048576
Apr  7 15:15:32 cfdnsquar01 named[37952]: found 32 CPUs, using 32 worker threads
Apr  7 15:15:32 cfdnsquar01 named[37952]: using 16 UDP listeners per interface
Apr  7 15:15:32 cfdnsquar01 named[37952]: using up to 4096 sockets
Apr  7 15:15:32 cfdnsquar01 named[37952]: loading configuration from 
'/usr/local/named-jail9.10.3P4/etc/named.conf'
Apr  7 15:15:32 cfdnsquar01 named[37952]: reading built-in trusted keys from 
file '/usr/local/named-jail9.10.3P4/etc/bind.keys'
Apr  7 15:15:32 cfdnsquar01 named[37952]: using default UDP/IPv4 port range: 
[9000, 65500]
Apr  7 15:15:32 cfdnsquar01 named[37952]: using default UDP/IPv6 port range: 
[9000, 65500]
Apr  7 15:15:32 cfdnsquar01 named[37952]: no IPv6 interfaces found
Apr  7 15:15:32 cfdnsquar01 named[37952]: listening on IPv4 interface lo, 
127.0.0.1#53
Apr  7 15:15:32 cfdnsquar01 named[37952]: listening on IPv4 interface eth0, 
10.10.10.10.#53    ------> My Master.
Apr  7 15:15:32 cfdnsquar01 named[37952]: generating session key for dynamic DNS
Apr  7 15:15:32 cfdnsquar01 named[37952]: sizing zone task pool based on 4 zones
Apr  7 15:15:32 cfdnsquar01 named[37952]: set up managed keys zone for view 
unsigned, file 
'ceffe878ab2fa2c7c3322ee4a1aa0c2d2a4664836c5867df93dd15055bb986be.mkeys'
Apr  7 15:15:32 cfdnsquar01 named[37952]: set up managed keys zone for view 
signed, file 
'4a3cdfae6f764c8f544daea5b73505cf9e74c1ed427d391ad0d7ca00c73c899d.mkeys'
Apr  7 15:15:32 cfdnsquar01 named[37952]: configuring command channel from 
'/usr/local/named-jail9.10.3P4/etc/rndc.key'
Apr  7 15:15:32 cfdnsquar01 named[37952]: couldn't add command channel 
127.0.0.1#953: file not found
Apr  7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open 
'/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not found
Apr  7 15:15:32 cfdnsquar01 named[37952]: configuring logging: file not found
Apr  7 15:15:32 cfdnsquar01 named[37952]: loading configuration: file not found
Apr  7 15:15:32 cfdnsquar01 named[37952]: exiting (due to fatal error)

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to