Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Aug 2011 12:18:03 +0100
From:      Matthew Seaman <>
To:        "Conrad J. Sabatier" <>
Subject:   Re: what is causing this warning in /var/log/messages?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 14/08/2011 00:45, Conrad J. Sabatier wrote:
> Did you every get any response to this question?  I'm seeing something
> very similar after just setting up named yesterday:
> Aug 13 18:06:39 serene named[1105]: managed-keys-zone ./IN: loading
> from master file managed-keys.bind failed: file not found
> I'm just trying to setup a simple caching nameserver (slave), using the=

> auto_forward options.

That's a different problem to the one Gary had.  It seems you have
options { ... dnssec-validation =3D yes; ... };  in your named.conf (ie.
check RRSIG data and ensure that there is a chain of trust from the root
or whatever trust anchor you prefer.  This is a good thing and really
should be enabled in all recursive nameservers nowadays.)

In order to do that, you need to explicitly specify your trusted key
in named.conf -- or preferably an initial key, as named can track from
that key to the currently active ones automatically.  There are two
important trust anchors:  the key, and the root key.  The
DLV key is built into the Bind sources -- all you need to do is add:

   options { ... dnssec-lookaside auto; ... };

If you are really paranoid, then you can verify the PGP signature on,
and then add the DLV KSK key to your named.conf as described here:

The root key is different.  In this case, to verify the key, pull the
key data from the DNS and convert it into a DS (domain signing) record.
Then compare that to the signed data published by IANA.  Once you're
satisfied, then add a managed-keys statement to named.conf like so:

managed-keys {
    // The DNS root key -- see
    // Compare fingerprints with the key published in the DNS by:
    //    dig . dnskey | grep -w 257 > root.key
    //    dnssec-dsfromkey -2 root.key
    // Verify DS record against the IANA root-anchors data using PGP.

    . initial-key 257 3 8

Docco on managed-keys here:

Note that DNSSEC is one area that has seen a great deal of development
over the last several releases of BIND.  It definitely works best in the
latest version, bind-9.8.x, although any of the versions bundled with
supported versions of FreeBSD will function correctly.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID:               Kent, CT11 9PW

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla -



Want to link to this message? Use this URL: <>