dnssec-lookaside != auto

Torinthiel torinthiel at data.pl
Sun Dec 19 22:12:16 UTC 2010

Hello everyone,

I've recently updated bind to version 9.7.2_p3.

I've been using DLV before that, specifically dlv.isc.org, with two
entries in named.conf

options {
dnssec-lookaside . trust-anchor dlv.isc.org.;

and it was working fine.
However, on update I've wanted to try managed-keys. so changed
trusted-keys to managed-keys (and added initial key of course)

so the relevant part of config file now looks like this:

managed-keys {
dlv.isc.org. initial-key 257 3 5
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";

this has caused problem, every query caused error, no answers and these
log entries:

Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
DNSKEY: must be secure failure,  . is under DLV (startfinddlvsep)
Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving

After some googling and finding
and even better

I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.

However, this presents the following problems to me:
- managed keys does not work as advertised:
In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
said that managed-keys is similar to trusted-keys, but where key in
trusted-keys is static and trusted as long as it's in config file, key
in managed-keys is trusted only once, to download this key and store it
in trusted database. This proves to be wrong, as it's not trusted even
that one time.

- I don't seem to be able to switch to another DLV registry.
dnssec-lookaside accepts only auto, so I have no choice but to use
built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.

Can anyone shed some light if this is my mistake, not having something
in configuration, or a general bind error?


More information about the bind-users mailing list