Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Aug 2011 12:18:03 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "Conrad J. Sabatier" <conrads@cox.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: what is causing this warning in /var/log/messages?
Message-ID:  <4E47AEEB.1000402@infracaninophile.co.uk>
In-Reply-To: <20110813184511.28b2982a@serene.no-ip.org>
References:  <20110813184511.28b2982a@serene.no-ip.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig498380C17BD67609F79BC9ED
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 14/08/2011 00:45, Conrad J. Sabatier wrote:
> Did you every get any response to this question?  I'm seeing something
> very similar after just setting up named yesterday:
>=20
> Aug 13 18:06:39 serene named[1105]: managed-keys-zone ./IN: loading
> from master file managed-keys.bind failed: file not found
>=20
> I'm just trying to setup a simple caching nameserver (slave), using the=

> auto_forward options.
>=20

That's a different problem to the one Gary had.  It seems you have
options { ... dnssec-validation =3D yes; ... };  in your named.conf (ie.
check RRSIG data and ensure that there is a chain of trust from the root
or whatever trust anchor you prefer.  This is a good thing and really
should be enabled in all recursive nameservers nowadays.)

In order to do that, you need to explicitly specify your trusted key
in named.conf -- or preferably an initial key, as named can track from
that key to the currently active ones automatically.  There are two
important trust anchors:  the dlv.isc.org key, and the root key.  The
DLV key is built into the Bind sources -- all you need to do is add:

   options { ... dnssec-lookaside auto; ... };

If you are really paranoid, then you can verify the PGP signature on,
and then add the DLV KSK key to your named.conf as described here:

   http://www.isc.org/solutions/dlv#dlv_key

The root key is different.  In this case, to verify the key, pull the
key data from the DNS and convert it into a DS (domain signing) record.
Then compare that to the signed data published by IANA.  Once you're
satisfied, then add a managed-keys statement to named.conf like so:

managed-keys {
    // The DNS root key -- see http://data.iana.org/root-anchors/
    // Compare fingerprints with the key published in the DNS by:
    //    dig . dnskey | grep -w 257 > root.key
    //    dnssec-dsfromkey -2 root.key
    // Verify DS record against the IANA root-anchors data using PGP.

    . initial-key 257 3 8
        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
         QxA+Uk1ihz0=3D";
};

Docco on managed-keys here:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#id2589494

Note that DNSSEC is one area that has seen a great deal of development
over the last several releases of BIND.  It definitely works best in the
latest version, bind-9.8.x, although any of the versions bundled with
supported versions of FreeBSD will function correctly.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig498380C17BD67609F79BC9ED
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5HrvIACgkQ8Mjk52CukIxt1wCeL3hKwC4uLJJZJFiWamicUrSN
bIwAoIdy53CTUM1ezdS3LfmtAsK9b47Z
=7xHo
-----END PGP SIGNATURE-----

--------------enig498380C17BD67609F79BC9ED--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4E47AEEB.1000402>