broken trust chain

Petr Mensik pemensik at redhat.com
Mon Oct 15 12:33:07 UTC 2018 

Hi Cody,

please check contents of managed-keys.bind or viewname.mkeys files in
bind working directory. It can be redirected somewhere else by
managed-keys-directory option.

These files contains state of managed keys of BIND. Its contents can be
analysed by manually or by perl script in contrib/scripts/check5011.pl.

Path to file depends on distribution. Default path on Fedora without
views would be:
perl contrib/scripts/check5011.pl /var/named/dynamic/managed-keys.bind
              . tag 19036 RSASHA256 trusted
              . tag 20326 RSASHA256 trusted

Maybe simpler validation would be rndc secroots, then find
named.secroots in the working directory of bind. It should contain:
   Secure roots:

./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed

BIND will initialize managed-keys first time it is able to reach root
servers to validate it. Once it does, it will use RFC 5011 mechanism to
update the key. It has to use dnssec enabled forwarder or have direct
root access to maintain the keys. If neither of that is available,
dnssec keys are no longer automatically managed but no warning is
emitted. If managed-keys.bind and its jnl files are deleted and bind is
restarted, it will recreate it from managed-keys found in configuration.

File bind.keys is used only the zone is initialized in managed-keys.bind
for the first time. It requires 30 days after that to trust new key.

On 10/14/2018 02:17 PM, Cody Allen wrote:
> issue just started on 10/13/2018 both servers impacted at same time, clocks are correct, version of bind is 9.11.1 impacting recursion on internal view, authoritative zones work fine, servers have been running for couple of years or longer with zero problems.  most recent version of bind.keys installed. only solution has been to set dnssec-validation to no
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the bind-users mailing list