bind 9.7.4 on centos6

Mark Andrews marka at isc.org
Mon Sep 5 04:07:58 UTC 2011


In message <1315192045.25202.21.camel at ns.five-ten-sg.com>, Carl Byington writes
:
> > /etc/named.isc.keys contains:
> 
> > Is that file included in named.conf?
> > What dnssec settings do you have in named.conf?
> 
>     dnssec-enable yes;
>     dnssec-validation yes;
>     dnssec-lookaside auto;
> 
>     /* Path to ISC DLV key */
>     bindkeys-file "/etc/named.iscdlv.key";
> 
>     managed-keys-directory "/var/named/dynamic";
> 
> 
> I mis-typed the name of the isc file above, it actually is
> /etc/named.iscdlv.key as referenced in the /etc/named.conf file
> copy/paste segment above.
> 
> cat /etc/named.iscdlv.key
> managed-keys {
>     .            initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
>     dlv.isc.org. initial-key 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";

"dnssec-lookaside auto;" only pulls the "dlv.isc.org" key out of
that file.  The root's key is just for reference in BIND 9.7.x.  If
you just include that file into named.conf it will load the root's
key and org's answers will validate.

e.g.
	include "/etc/named.iscdlv.key";

BIND 9.8 has "dnssec-validate auto;" which pulls the root's key out
of that file.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list