Trouble with option managed-keys
thl at it-hluchnik.de
thl at it-hluchnik.de
Tue May 17 20:35:38 UTC 2016
Hi all,
I have a problem with DNSSEC and I dont find a solution. Maybe someone can help me.
My intention is to run a bind which acts as DNSSEC enabled resolver for my internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a precompiled package from OpenBSD, version is 9.10.3-P3.
Configuring my named, I mostly followed a howto from Calomel.org:
https://calomel.org/dns_bind.html
This is my named.conf:
root at bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
acl clients {
127.0.0.0/8;
192.168.21.0/24;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on { 127.0.0.1; 192.168.21.101; };
listen-on-v6 { none; };
empty-zones-enable yes;
allow-query { clients; };
allow-recursion { clients; };
allow-transfer { none; };
include "/etc/root_trusted_key";
dnssec-enable yes;
dnssec-validation yes;
};
logging {
category lame-servers { null; };
};
zone "." {
type hint;
file "etc/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
As my named is running in a chroot jail, /etc/root_trusted_key is /var/named/etc/root_trusted_key in reality.
root at bsd59n:/var/named/etc# root_trusted_key
managed-keys {
"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
};
root_trusted_key was generated as Calomel howto describes.
Now, when I try to start named with that config, I get a courious error message:
root at bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 -g
17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 <id:bdaecad> -t /var/named -u _bind -U 4 -g
17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-aaaa' '--enable-threads' '--with-libt
ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' '--prefix=/usr/local' '--sysconfdir=/etc'
'--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' '--disable-silent-rules' '--di
sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
17-May-2016 21:53:14.644 ----------------------------------------------------
17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium,
17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
17-May-2016 21:53:14.644 corporation. Support and training for BIND 9 are
17-May-2016 21:53:14.644 available at https://www.isc.org/support
17-May-2016 21:53:14.644 ----------------------------------------------------
17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
17-May-2016 21:53:14.645 using 2 UDP listeners per interface
17-May-2016 21:53:14.648 using up to 4096 sockets
17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 'managed-keys'
17-May-2016 21:53:14.686 loading configuration: failure
17-May-2016 21:53:14.686 exiting (due to fatal error)
But named documentation and "man named.conf" both say that managed-keys were a valid option.
So what's wrong here? Thanks in advance for any help.
Thomas Hluchnik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160517/04046427/attachment.bin>
More information about the bind-users
mailing list