From owner-freebsd-stable  Wed Sep 26 13:55:11 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from onceler.kciLink.com (onceler.kcilink.com [216.194.193.106])
	by hub.freebsd.org (Postfix) with ESMTP id 4CC0237B40F
	for <stable@freebsd.org>; Wed, 26 Sep 2001 13:55:04 -0700 (PDT)
Received: (from khera@localhost)
	by onceler.kciLink.com (8.11.6/8.11.6) id f8QKsWA32864;
	Wed, 26 Sep 2001 16:54:32 -0400 (EDT)
	(envelope-from khera)
From: Vivek Khera <khera@kcilink.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15282.16519.937665.189852@onceler.kciLink.com>
Date: Wed, 26 Sep 2001 16:54:31 -0400
To: stable@freebsd.org, bind-users@isc.org
Subject: BIND 8.2.4-REL in FreeBSD 4.4 broke my DNSSEC
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I had been running 4.3-STABLE from about June on my primary DNS
server, and had BIND 8.2.3-REL on it (I forget if I updated it or it
was already that version when I installed FreeBSD).

Anyhow, my DNSSEC configuration is now failing with these errors:

/etc/namedb/named.conf:23: unknown key 'kci-yertle'
/etc/namedb/named.conf:23: empty key not added to server list 
/etc/namedb/named.conf:51: unknown key 'vortex-kci'
/etc/namedb/named.conf:51: empty key not added to server list 

Does anyonw know anything about this?  I see in the CHANGES file these
entries:

1186.   [bug]           DNSSEC key ids were computed incorrectly.
1156.   [bug]           don't use a known bogus key name.

I don't see anything in the docs that indicate syntax change.

Again, this worked just fine with 8.2.3-REL and prior.  The BIND users
mailing list archive shows nothing related to these errors, and I
don't recall seeing anything like this on the freebsd lists.

My config is like this:

key kci-yertle. {
        algorithm hmac-md5;
        secret "my-secret-is-here";
};

server 216.194.193.105 {
        keys { kci-yertle.; };
};

For kicks, I tried generating a new key using the dnskeygen progam,
but that also gave the same types of errors.

Any help would be appreciated.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message