Date: Sun, 14 Aug 2011 12:18:03 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: "Conrad J. Sabatier" <conrads@cox.net> Cc: freebsd-questions@freebsd.org Subject: Re: what is causing this warning in /var/log/messages? Message-ID: <4E47AEEB.1000402@infracaninophile.co.uk> In-Reply-To: <20110813184511.28b2982a@serene.no-ip.org> References: <20110813184511.28b2982a@serene.no-ip.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig498380C17BD67609F79BC9ED
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 14/08/2011 00:45, Conrad J. Sabatier wrote:
> Did you every get any response to this question? I'm seeing something
> very similar after just setting up named yesterday:
>=20
> Aug 13 18:06:39 serene named[1105]: managed-keys-zone ./IN: loading
> from master file managed-keys.bind failed: file not found
>=20
> I'm just trying to setup a simple caching nameserver (slave), using the=
> auto_forward options.
>=20
That's a different problem to the one Gary had. It seems you have
options { ... dnssec-validation =3D yes; ... }; in your named.conf (ie.
check RRSIG data and ensure that there is a chain of trust from the root
or whatever trust anchor you prefer. This is a good thing and really
should be enabled in all recursive nameservers nowadays.)
In order to do that, you need to explicitly specify your trusted key
in named.conf -- or preferably an initial key, as named can track from
that key to the currently active ones automatically. There are two
important trust anchors: the dlv.isc.org key, and the root key. The
DLV key is built into the Bind sources -- all you need to do is add:
options { ... dnssec-lookaside auto; ... };
If you are really paranoid, then you can verify the PGP signature on,
and then add the DLV KSK key to your named.conf as described here:
http://www.isc.org/solutions/dlv#dlv_key
The root key is different. In this case, to verify the key, pull the
key data from the DNS and convert it into a DS (domain signing) record.
Then compare that to the signed data published by IANA. Once you're
satisfied, then add a managed-keys statement to named.conf like so:
managed-keys {
// The DNS root key -- see http://data.iana.org/root-anchors/
// Compare fingerprints with the key published in the DNS by:
// dig . dnskey | grep -w 257 > root.key
// dnssec-dsfromkey -2 root.key
// Verify DS record against the IANA root-anchors data using PGP.
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=3D";
};
Docco on managed-keys here:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2589494
Note that DNSSEC is one area that has seen a great deal of development
over the last several releases of BIND. It definitely works best in the
latest version, bind-9.8.x, although any of the versions bundled with
supported versions of FreeBSD will function correctly.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig498380C17BD67609F79BC9ED
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5HrvIACgkQ8Mjk52CukIxt1wCeL3hKwC4uLJJZJFiWamicUrSN
bIwAoIdy53CTUM1ezdS3LfmtAsK9b47Z
=7xHo
-----END PGP SIGNATURE-----
--------------enig498380C17BD67609F79BC9ED--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E47AEEB.1000402>