dnssec-lookaside != auto

Chris Thompson cet1 at cam.ac.uk
Mon Dec 20 00:11:15 UTC 2010

On Dec 19 2010, Torinthiel wrote:

>Hello everyone,
>I've recently updated bind to version 9.7.2_p3.
>I've been using DLV before that, specifically dlv.isc.org, with two
>entries in named.conf
>options {
>dnssec-lookaside . trust-anchor dlv.isc.org.;
>and it was working fine.
>However, on update I've wanted to try managed-keys. so changed
>trusted-keys to managed-keys (and added initial key of course)
>so the relevant part of config file now looks like this:
>managed-keys {
>dlv.isc.org. initial-key 257 3 5
>QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
>this has caused problem, every query caused error, no answers and these
>log entries:
>Dec 19 21:22:38 sarlac named[4137]: validating @0xb48c0030: dlv.isc.org
>DNSKEY: must be secure failure,  . is under DLV (startfinddlvsep)
>Dec 19 21:22:38 sarlac named[4137]: error (must-be-secure) resolving

One suspects some transcription error in the trust anchor, but
I admit I can't find one in the copy above.

>After some googling and finding
>and even better
>I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.

"dnssec-lookaside auto" just imports the managed-keys statement from
[source-tree]/bind.keys. Compare that carefully with your explicit
managed-keys statement.

We are using managed-keys with explicit entries (not auto) for dlv.isc.org
and for the root zone (it's strange that you don't mention a trust anchor
for the root zone), and it works fine (modulo the remarks at the end: just
as well as a trusted-keys statement would, anyway).

>However, this presents the following problems to me:
>- managed keys does not work as advertised:
>In bind manual (PDF downloaded from http://www.bind9.net/manuals), it's
>said that managed-keys is similar to trusted-keys, but where key in
>trusted-keys is static and trusted as long as it's in config file, key
>in managed-keys is trusted only once, to download this key and store it
>in trusted database. This proves to be wrong, as it's not trusted even
>that one time.
>- I don't seem to be able to switch to another DLV registry.
>dnssec-lookaside accepts only auto, so I have no choice but to use
>built-in DLV. But, e.g. secspider.cs.ucla.edu looks interesting.
>Can anyone shed some light if this is my mistake, not having something
>in configuration, or a general bind error?

You are doing something wrong, as it works for the rest of us.

However ... when all is said and done, using managed-keys rather than
trusted-keys has very limited value at the moment, if you are only
going to it for dlv.isc.org and the root (and of course you should
*not* use it for any trust anchor for which RFC 5011 compatible
rollovers have not been promised). Neither is likely to be rolled
over without a lot of publicity, and the managed-keys code still
has the bug described at 


Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list