From owner-freebsd-questions@FreeBSD.ORG  Sun Aug 14 11:18:21 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8C885106566C
	for <freebsd-questions@freebsd.org>;
	Sun, 14 Aug 2011 11:18:21 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 0372C8FC24
	for <freebsd-questions@freebsd.org>;
	Sun, 14 Aug 2011 11:18:20 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	p7EBIAQn049983
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Sun, 14 Aug 2011 12:18:11 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p7EBIAQn049983
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1313320691;
	bh=vjoRZa2GMTyO/3YByq5sXtpFIf+A3HJVfjYerYEkTkA=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4E47AEEB.1000402@infracaninophile.co.uk>|Date:=20S
	un,=2014=20Aug=202011=2012:18:03=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|User-Agent:=20Mozilla/5.0=20(M
	acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:5.0)=20Gecko/201
	10624=20Thunderbird/5.0|MIME-Version:=201.0|To:=20"Conrad=20J.=20S
	abatier"=20<conrads@cox.net>|CC:=20freebsd-questions@freebsd.org|S
	ubject:=20Re:=20what=20is=20causing=20this=20warning=20in=20/var/l
	og/messages?|References:=20<20110813184511.28b2982a@serene.no-ip.o
	rg>|In-Reply-To:=20<20110813184511.28b2982a@serene.no-ip.org>|X-En
	igmail-Version:=201.2|OpenPGP:=20id=3D60AE908C|Content-Type:=20mul
	tipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"applic
	ation/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig498380
	C17BD67609F79BC9ED";
	b=EfqQQv4LVMlGO3dCDfCpfGNATrvJThuMD6+XnpyPNvAj9hH4ZDAKU7VeE7mLs+01V
	8NISxDyhTlKHusEyu8T4xfGD+cIMADJzPk3cJbPnJ5f232TzaX42liihylhpqX/Syh
	aMuR5WQyjOLURIz+lQE02Lqu/C0S/veBNQleWCa8=
Message-ID: <4E47AEEB.1000402@infracaninophile.co.uk>
Date: Sun, 14 Aug 2011 12:18:03 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: "Conrad J. Sabatier" <conrads@cox.net>
References: <20110813184511.28b2982a@serene.no-ip.org>
In-Reply-To: <20110813184511.28b2982a@serene.no-ip.org>
X-Enigmail-Version: 1.2
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig498380C17BD67609F79BC9ED"
X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: what is causing this warning in /var/log/messages?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2011 11:18:21 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig498380C17BD67609F79BC9ED
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 14/08/2011 00:45, Conrad J. Sabatier wrote:
> Did you every get any response to this question?  I'm seeing something
> very similar after just setting up named yesterday:
>=20
> Aug 13 18:06:39 serene named[1105]: managed-keys-zone ./IN: loading
> from master file managed-keys.bind failed: file not found
>=20
> I'm just trying to setup a simple caching nameserver (slave), using the=

> auto_forward options.
>=20

That's a different problem to the one Gary had.  It seems you have
options { ... dnssec-validation =3D yes; ... };  in your named.conf (ie.
check RRSIG data and ensure that there is a chain of trust from the root
or whatever trust anchor you prefer.  This is a good thing and really
should be enabled in all recursive nameservers nowadays.)

In order to do that, you need to explicitly specify your trusted key
in named.conf -- or preferably an initial key, as named can track from
that key to the currently active ones automatically.  There are two
important trust anchors:  the dlv.isc.org key, and the root key.  The
DLV key is built into the Bind sources -- all you need to do is add:

   options { ... dnssec-lookaside auto; ... };

If you are really paranoid, then you can verify the PGP signature on,
and then add the DLV KSK key to your named.conf as described here:

   http://www.isc.org/solutions/dlv#dlv_key

The root key is different.  In this case, to verify the key, pull the
key data from the DNS and convert it into a DS (domain signing) record.
Then compare that to the signed data published by IANA.  Once you're
satisfied, then add a managed-keys statement to named.conf like so:

managed-keys {
    // The DNS root key -- see http://data.iana.org/root-anchors/
    // Compare fingerprints with the key published in the DNS by:
    //    dig . dnskey | grep -w 257 > root.key
    //    dnssec-dsfromkey -2 root.key
    // Verify DS record against the IANA root-anchors data using PGP.

    . initial-key 257 3 8
        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
         QxA+Uk1ihz0=3D";
};

Docco on managed-keys here:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2589494

Note that DNSSEC is one area that has seen a great deal of development
over the last several releases of BIND.  It definitely works best in the
latest version, bind-9.8.x, although any of the versions bundled with
supported versions of FreeBSD will function correctly.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig498380C17BD67609F79BC9ED
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5HrvIACgkQ8Mjk52CukIxt1wCeL3hKwC4uLJJZJFiWamicUrSN
bIwAoIdy53CTUM1ezdS3LfmtAsK9b47Z
=7xHo
-----END PGP SIGNATURE-----

--------------enig498380C17BD67609F79BC9ED--