broken trust chain

Josef Moellers jmoellers at suse.de
Mon Sep 28 09:31:06 UTC 2020


On 25.09.20 21:55, Tony Finch wrote:
> Josef Moellers <jmoellers at suse.de> wrote:
>>
>> I just foudn out that in the good case, the key in /etc/bind.keys is
>> accepted, in the bad case it is not:
>> good:managed-keys-zone: Key 20326 for zone . acceptance timer complete:
>> key now trusted
>> bad:managed-keys-zone: No DNSKEY RRSIGs found for '.': success
>>
>> So the question is: what causes this?
> 
> Sounds like you have a stale bind.keys file. You don't need this file:
> `named` has a built-in copy which is up-to-date if you keep up with
> patching. You should be able to fix it by deleting bind.keys and the
> working files managed-keys.bind managed-keys.bind.jnl *.mkeys *.mkeys.jnl

PS The /etc/bind.keys file is the one shipped with bind-9.11.22.tar.gz:
managed-keys {
        # This key (20326) was published in the root zone in 2017.
        . initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
};

Josef
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


More information about the bind-workers mailing list