In message <512c18eb.2050...@htt-consult.com>, Robert Moskowitz writes: > > On 02/25/2013 08:38 PM, Mark Andrews wrote: > > In message <512c1009.4060...@htt-consult.com>, Robert Moskowitz writes: > >>>>>> dnssec-enable yes; > >>>>>> dnssec-validation yes; > >>>> digging back in the archive here, I find out this should be > >>>> > >>>> dnssec-validation auto; > >>> Actually it can be either. It's all a matter of how you want to > >>> setup your trust anchors. For private root zones it is absolutely > >>> the wrong thing to do. > >> I got this from some old messages from you on the subject of "no valid > >> signature". > >> > >> Perhaps tieing into my using the builtin root hints rather than > >> explicitly including a root.hint stub? > >> > >> Like the other person, once I changed from 'yes' to 'auto' I stopped > >> logging these messages so I ASSuME that now all those zones are being > >> validated. > >> > >> No private root zones here. At least that I know of! > > dnssec-validation auto; adds a implicit managed-keys clause for the > > root. If you just do dnssec-validation yes; you need to add a > > explict trusted-keys / managed-keys clause. > > > > managed-keys { > > . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOy > QbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVP > QuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apA > zvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ > 57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; > > }; > > Yes, I wondered about this as I have the include: > > bindkeys-file "/etc/named.iscdlv.key"; > > which contains: > > managed-keys { > # ISC DLV: See https://www.isc.org/solutions/dlv for details. > # NOTE: This key is activated by setting "dnssec-lookaside auto;" > # in named.conf. > dlv.isc.org. initial-key 257 3 5 > "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt > TDN0YUuWrBNh"; > > # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml > # for current trust anchor information. > # NOTE: This key is activated by setting "dnssec-validation auto;" > # in named.conf. > . initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq > QxA+Uk1ihz0="; > }; > > So why did this not work?
Because it is only processed in the "auto" cases and only the approritate trusted keys are extracted. bindkeys-file "/etc/named.iscdlv.key"; is not the same as include "/etc/named.iscdlv.key"; > > If you have islands of trust you will need to have managed/trusted > > keys for them. It is also a good idea to have managed/trusted keys > > for your internal zones so you are not dependent on external zones > > for internal lookups when your internet connection goes down. > > I know I need to tackle my internal view. After I put up the new > server, I built a test server for only a few internal systems to use. I > will work on my internal view there, and then bring that over to my main > server. > > One step at a time. Or maybe two or three? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users