Stop of logging of No Valid Signature Found
Mark Andrews
marka at isc.org
Tue Feb 26 02:36:04 UTC 2013
In message <512C18EB.2050304 at htt-consult.com>, Robert Moskowitz writes:
>
> On 02/25/2013 08:38 PM, Mark Andrews wrote:
> > In message <512C1009.4060404 at htt-consult.com>, Robert Moskowitz writes:
> >>>>>> dnssec-enable yes;
> >>>>>> dnssec-validation yes;
> >>>> digging back in the archive here, I find out this should be
> >>>>
> >>>> dnssec-validation auto;
> >>> Actually it can be either. It's all a matter of how you want to
> >>> setup your trust anchors. For private root zones it is absolutely
> >>> the wrong thing to do.
> >> I got this from some old messages from you on the subject of "no valid
> >> signature".
> >>
> >> Perhaps tieing into my using the builtin root hints rather than
> >> explicitly including a root.hint stub?
> >>
> >> Like the other person, once I changed from 'yes' to 'auto' I stopped
> >> logging these messages so I ASSuME that now all those zones are being
> >> validated.
> >>
> >> No private root zones here. At least that I know of!
> > dnssec-validation auto; adds a implicit managed-keys clause for the
> > root. If you just do dnssec-validation yes; you need to add a
> > explict trusted-keys / managed-keys clause.
> >
> > managed-keys {
> > . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOy
> QbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVP
> QuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apA
> zvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ
> 57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
> > };
>
> Yes, I wondered about this as I have the include:
>
> bindkeys-file "/etc/named.iscdlv.key";
>
> which contains:
>
> managed-keys {
> # ISC DLV: See https://www.isc.org/solutions/dlv for details.
> # NOTE: This key is activated by setting "dnssec-lookaside auto;"
> # in named.conf.
> dlv.isc.org. initial-key 257 3 5
> "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
> TDN0YUuWrBNh";
>
> # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
> # for current trust anchor information.
> # NOTE: This key is activated by setting "dnssec-validation auto;"
> # in named.conf.
> . initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
> QxA+Uk1ihz0=";
> };
>
> So why did this not work?
Because it is only processed in the "auto" cases and only the approritate
trusted keys are extracted.
bindkeys-file "/etc/named.iscdlv.key";
is not the same as
include "/etc/named.iscdlv.key";
> > If you have islands of trust you will need to have managed/trusted
> > keys for them. It is also a good idea to have managed/trusted keys
> > for your internal zones so you are not dependent on external zones
> > for internal lookups when your internet connection goes down.
>
> I know I need to tackle my internal view. After I put up the new
> server, I built a test server for only a few internal systems to use. I
> will work on my internal view there, and then bring that over to my main
> server.
>
> One step at a time. Or maybe two or three?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list