From owner-freebsd-doc@FreeBSD.ORG Sun Jun 14 14:45:32 2015 Return-Path: Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFCE1696 for ; Sun, 14 Jun 2015 14:45:32 +0000 (UTC) (envelope-from torment@treborlogic.com) Received: from mail.treborlogic.com (mail.treborlogic.com [50.73.78.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "jmail.treborlogic.com", Issuer "jmail.treborlogic.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 829D99E6 for ; Sun, 14 Jun 2015 14:45:31 +0000 (UTC) (envelope-from torment@treborlogic.com) Received: from [172.16.1.2] (domination.treborlogic.com [172.16.1.2]) by mail.treborlogic.com (8.15.1/8.15.1) with ESMTP id t5EEg2f3087213 for ; Sun, 14 Jun 2015 14:42:02 GMT (envelope-from torment@treborlogic.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=treborlogic.com; s=default; t=1434292923; bh=ZQX/GDw5AFeLDSXk5u2+VX9F9JoQArGuruOXVbH67hI=; h=Date:From:To:Subject; b=ki7Z7dQqqE2rUVocG/ChEMlYZwyHCgBrFWAwC2cI1T53zzMXnbCyXqjZzgLg91pV8 FNdPtFkFDynYqzIFJovI1iOTJO2cxfAYXVOMolnNC3SrheHrsizysZrLmQ9Zhp0h8m knM772JHpIbZeBxB2u+/LIHQxiL1R7ZsOgahB7FI= X-Authentication-Warning: jmail.treborlogic.com: Host domination.treborlogic.com [172.16.1.2] claimed to be [172.16.1.2] Message-ID: <557D92BA.9050905@treborlogic.com> Date: Sun, 14 Jun 2015 10:42:02 -0400 From: Bob Faulkner User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-doc@FreeBSD.org Subject: Handbook DNS documentation clarification Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,T_RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on jmail.treborlogic.com X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2015 14:45:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, In the handbook section on DNS (29.7), under the DNSSEC subsection (29.7.3.4), subsection 29.7.3.4.2. Authoritative DNS Server Configuration It is suggested to rename the generated key files to make it clear which type of key the file contains: "It is also possible to rename the keys. For each KSK file do: % mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key % mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private For the ZSK files, substitute KSK for ZSK as necessary. The files can now be included in the zone file, using the $include statement. It should look something like this: $include Kexample.com.+005+nnnnn.KSK.key ; KSK $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK" In the next subsection: 29.7.3.4.3. Automation Using BIND 9.7 or Later You are directed to generate keys as explained in section 29.7.3.4.2. Authoritative DNS Server Configuration, and place those keys in a directory to be specified in the configuration. The problem is if you rename the key files as suggested in section 29.7.3.4.2. Authoritative DNS Server Configuration, bind will not load the keys and therefore not sign the zone. I spent several hours trying to debug why bind was not signing my zone when I decided on a hunch to simply rename the key files back to the default format and bind then began signing as expected. This should be noted in the subsection 29.7.3.4.3. Automation Using BIND 9.7 or Later so as to avoid anyone else hitting this road block. Thanks! Bob Faulkner -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJVfZK6AAoJEEE5xLeoRUEkV4AH/jj2ETB9h/GC14PNFBc20m34 DNi5gFaGtxb+itkuSZkiKLVG9R+jBmo73ET/D/ILDATBqVnZPAn6G44cVnbejlSx iSS9PIwkQMaxXSI6cOPHu3IhRO33DLEG9+RrTbDzGlnIhEWQk1xDeLhEKhdHfuGd gxEo+DYgMBu0IeAqwv88FJeHa8RR+Djv68VBmAKcLdQCPzQNC1KRl7y1MSxls7uq lRiMS/I2MY1PvJ43WITV8zAhxV6d6QaGd6cRuyyXoTBku90yR1XzY2/c9Tg6x+0n Y9TOpOdiUQgQI56o/+N+XHcXcNSYtxI/v0i2jOu7KIXJchzGnfMiJFIoA7L/TfA=3D =3DtEge -----END PGP SIGNATURE-----