Adding trusted-keys to named.conf

Robert Moskowitz rgm at htt-consult.com
Thu Feb 28 21:19:47 UTC 2013


On 02/28/2013 02:42 PM, Robert Moskowitz wrote:
> I MAY be doing something wrong, or my problem is elsewhere...
>
> In zone htt. I have the DNSKEY RR:
>
> htt. IN DNSKEY 257 3 7 
> AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi 
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP 
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w 
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW 
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD 
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X 
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==
>
> So in my caching server's named.conf I added at the end:
>
> include "/etc/named.trusted.key";
>
> and this contains:
>
> trusted-keys {
>
> # DNSKEY for htt zone.
>
> htt. 257 3 7 "AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi 
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP 
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w 
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW 
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD 
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X 
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==";
>
> };
>
> And I am still getting:
>
> Feb 28 14:35:17 klovia named[24806]: validating @0xb4855220: htt SOA: 
> got insecure response; parent indicates it should be secure
>
> The logged for starting named does have:
>
> Feb 28 14:35:00 klovia named[24806]: managed-keys-zone ./IN: loaded 
> serial 103
>
> but nothing about trusted-keys loaded. In the 
> http://www.isc.org/software/bind/documentation/arm95 it shows the 
> trusted-keys clause before the global options. Does order matter; it 
> seems to for ACLs? Is there something else I am missing?

I moved the named.trusted.key include to the beginning of named.conf and 
no change in behaviour. So order does not seem to be the issue. How can 
I determine if my trusted keys are being loaded?

I tried

dig @localhost dnskey htt. +noall +answer


And no content.





More information about the bind-users mailing list