From owner-freebsd-stable  Fri Sep 28  1: 5:50 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by hub.freebsd.org (Postfix) with ESMTP id 4B0FD37B403
	for <stable@freebsd.org>; Fri, 28 Sep 2001 01:05:45 -0700 (PDT)
Received: from isc.org (localhost.dv.isc.org [127.0.0.1])
	by drugs.dv.isc.org (8.11.3/8.11.2) with ESMTP id f8S85Rr03084;
	Fri, 28 Sep 2001 18:05:29 +1000 (EST)
	(envelope-from marka@isc.org)
Message-Id: <200109280805.f8S85Rr03084@drugs.dv.isc.org>
To: Vivek Khera <khera@kcilink.com>
Cc: stable@freebsd.org, bind-users@isc.org
From: Mark.Andrews@isc.org
Subject: Re: BIND 8.2.4-REL in FreeBSD 4.4 broke my DNSSEC 
In-reply-to: Your message of "Wed, 26 Sep 2001 16:54:31 -0400."
             <15282.16519.937665.189852@onceler.kciLink.com> 
Date: Fri, 28 Sep 2001 18:05:27 +1000
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


> I had been running 4.3-STABLE from about June on my primary DNS
> server, and had BIND 8.2.3-REL on it (I forget if I updated it or it
> was already that version when I installed FreeBSD).
> 
> Anyhow, my DNSSEC configuration is now failing with these errors:
> 
> /etc/namedb/named.conf:23: unknown key 'kci-yertle'
> /etc/namedb/named.conf:23: empty key not added to server list 
> /etc/namedb/named.conf:51: unknown key 'vortex-kci'
> /etc/namedb/named.conf:51: empty key not added to server list 
> 
> Does anyonw know anything about this?  I see in the CHANGES file these
> entries:
> 
> 1186.   [bug]           DNSSEC key ids were computed incorrectly.
> 1156.   [bug]           don't use a known bogus key name.
> 
> I don't see anything in the docs that indicate syntax change.
> 
> Again, this worked just fine with 8.2.3-REL and prior.  The BIND users
> mailing list archive shows nothing related to these errors, and I
> don't recall seeing anything like this on the freebsd lists.
> 
> My config is like this:
> 
> key kci-yertle. {
>         algorithm hmac-md5;
        secret "my-secret-is-here";
> };
> 
> server 216.194.193.105 {
>         keys { kci-yertle.; };
> };

	Are you sure that you have these clauses in this order and not
	the reverse order.  Keys have to be defined before they used.

> 
> For kicks, I tried generating a new key using the dnskeygen progam,
> but that also gave the same types of errors.
> 
> Any help would be appreciated.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message