On 02/25/2013 09:36 PM, Mark Andrews wrote:
In message <512c18eb.2050...@htt-consult.com>, Robert Moskowitz writes:
On 02/25/2013 08:38 PM, Mark Andrews wrote:
In message <512c1009.4060...@htt-consult.com>, Robert Moskowitz writes:
dnssec-enable yes;
dnssec-validation yes;
digging back in the archive here, I find out this should be
dnssec-validation auto;
Actually it can be either. It's all a matter of how you want to
setup your trust anchors. For private root zones it is absolutely
the wrong thing to do.
I got this from some old messages from you on the subject of "no valid
signature".
Perhaps tieing into my using the builtin root hints rather than
explicitly including a root.hint stub?
Like the other person, once I changed from 'yes' to 'auto' I stopped
logging these messages so I ASSuME that now all those zones are being
validated.
No private root zones here. At least that I know of!
dnssec-validation auto; adds a implicit managed-keys clause for the
root. If you just do dnssec-validation yes; you need to add a
explict trusted-keys / managed-keys clause.
managed-keys {
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOy
QbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVP
QuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apA
zvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ
57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
Yes, I wondered about this as I have the include:
bindkeys-file "/etc/named.iscdlv.key";
which contains:
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
So why did this not work?
Because it is only processed in the "auto" cases and only the approritate
trusted keys are extracted.
bindkeys-file "/etc/named.iscdlv.key";
is not the same as
include "/etc/named.iscdlv.key";
Oops. That's what I get for copying the DNSSEC 'stuff' from the default
named.conf supplied by RHEL/Centos which looks like it is for a caching
server.
So should I change this to an include and put dnssec-validation back to yes?
If you have islands of trust you will need to have managed/trusted
keys for them. It is also a good idea to have managed/trusted keys
for your internal zones so you are not dependent on external zones
for internal lookups when your internet connection goes down.
I know I need to tackle my internal view. After I put up the new
server, I built a test server for only a few internal systems to use. I
will work on my internal view there, and then bring that over to my main
server.
One step at a time. Or maybe two or three?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
