I am building named and unbound recursive servers to follow a test of RFC 5011 trust anchor updates, the experiment is documented at http://keyroll.systems. One reason why I'm asking here is in http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/ which mentions some issues with RFC 5011 rolls in BIND.
But I bet my problem is that I haven't included yet-another configuration statement. I have unbound working, but can't get bind to give me an 'ad' bit, so I'm certain that the authoritative server side is set up right. What is puzzling is that I don't see any (relevant) errors when starting up my named instance. I'm running named in user space, off port 1053. So the "permission denied" parts are acceptable. $ named -g -c rfc5011.conf 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf 17-Apr-2015 10:17:02.083 built with '--with-openssl=/usr/local/ssl' 'STD_CDEFINES=-DDIG_SIGCHASE=1' 17-Apr-2015 10:17:02.083 ---------------------------------------------------- 17-Apr-2015 10:17:02.083 BIND 9 is maintained by Internet Systems Consortium, 17-Apr-2015 10:17:02.083 Inc. (ISC), a non-profit 501(c)(3) public-benefit 17-Apr-2015 10:17:02.083 corporation. Support and training for BIND 9 are 17-Apr-2015 10:17:02.083 available at https://www.isc.org/support 17-Apr-2015 10:17:02.083 ---------------------------------------------------- 17-Apr-2015 10:17:02.083 found 4 CPUs, using 4 worker threads 17-Apr-2015 10:17:02.083 using 2 UDP listeners per interface 17-Apr-2015 10:17:02.084 using up to 4096 sockets 17-Apr-2015 10:17:02.091 loading configuration from '/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf' 17-Apr-2015 10:17:02.092 reading built-in trusted keys from file '/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key' 17-Apr-2015 10:17:02.092 using default UDP/IPv4 port range: [49152, 65535] 17-Apr-2015 10:17:02.092 using default UDP/IPv6 port range: [49152, 65535] 17-Apr-2015 10:17:02.093 listening on IPv6 interfaces, port 53 17-Apr-2015 10:17:02.093 could not listen on UDP socket: permission denied 17-Apr-2015 10:17:02.093 listening on all IPv6 interfaces failed 17-Apr-2015 10:17:02.093 listening on IPv4 interface lo0, 127.0.0.1#1053 17-Apr-2015 10:17:02.094 generating session key for dynamic DNS 17-Apr-2015 10:17:02.094 couldn't mkdir '/var/run/named': Permission denied 17-Apr-2015 10:17:02.094 could not create /var/run/named/session.key 17-Apr-2015 10:17:02.094 failed to generate session key for dynamic DNS: permission denied 17-Apr-2015 10:17:02.094 sizing zone task pool based on 1 zones 17-Apr-2015 10:17:02.096 using built-in root key for view recursive 17-Apr-2015 10:17:02.097 set up managed keys zone for view recursive, file '21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys' 17-Apr-2015 10:17:02.097 automatic empty zone: ...yadda...yadda...yadda... 17-Apr-2015 10:17:02.101 command channel listening on 127.0.0.1#1953 17-Apr-2015 10:17:02.101 not using config file logging statement for logging due to -g option 17-Apr-2015 10:17:02.101 listening on IPv6 interfaces, port 53 17-Apr-2015 10:17:02.101 could not listen on UDP socket: permission denied 17-Apr-2015 10:17:02.101 listening on all IPv6 interfaces failed 17-Apr-2015 10:17:02.101 managed-keys-zone/recursive: loaded serial 5 17-Apr-2015 10:17:02.112 all zones loaded 17-Apr-2015 10:17:02.112 running $ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/rfc5011.conf options { dnssec-enable yes; dnssec-validation auto; bindkeys-file "/Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key"; pid-file none; dump-file "5011logs/cache_dump.db"; statistics-file "5011logs/named_stats.txt"; memstatistics-file "5011logs/named.memstats"; zone-statistics yes; hostname "foobar"; recursion yes; notify no; auth-nxdomain no; listen-on port 1053 { 127.0.0.1; }; }; managed-keys { . initial-key 257 3 8 "AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8 F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts 9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9 m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM="; }; view "recursive" IN { match-clients { any; }; allow-query { any; }; recursion yes; allow-recursion { any; }; // prime the server with the RFC5011 Key roll server. zone "." { type hint; file "keyroller-db.root"; }; }; // End of recursive view. $ cat /Users/edwardlewis/Documents/DNS/secure_BIND_resolver/test.key managed-keys { . initial-key 257 3 8 "AwEAAchoK9nG+mBjR/NZKqez+XYcqoWPL5e0VTreHS3Wi1KmU0Qgsr1N3O9u+McnsUwF/dsSW8 F/h3yXSMAEhS731eFvqxNDkhL8rQUfGBtALB3onTthYM38fk16vki5UsCecbt3uI46lb5cz5Dts 9drW/55OckwnSw4GTwiq2zebO5fo/UZlftpZTsupqgojL1Y3QlqL0LpP+vPIAgBe+OfhVpFPLxT P6aeKoNviWC0O2CJiVqVZxp9cumjwOnKUvSfHcsl8tcH3cQjmIhQDDw+Z109J9ly+QcL6RUdHo9 m/TyKL04dQulKBAmgWanAQ0CF7zwhIiUxkxTsUtMTRMuXWcM="; }; _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users