Re: Trouble with option managed-keys

2016-05-18 Thread thl 
Hello Mark,

yes, it works now. Thanks for your prompt help.

Thomas Hluchnik


Am Tuesday 17 May 2016 22:49:29 schrieb Mark Elkins:
> "managed-keys" is not a config option, try moving it outside the option
> stanza, eg
> 
> options {
> version ""; // remove this to allow version queries
> listen-on{ 127.0.0.1; 192.168.21.101; };
> listen-on-v6 { none; };
> empty-zones-enable yes;
> allow-query { clients; };
> allow-recursion { clients; };
> allow-transfer { none; };
> dnssec-enable yes;
> dnssec-validation yes;
> };
> 
> include "/etc/root_trusted_key";
> 
> logging {
> category lame-servers { null; };
> };
> ...
> 
> Personally, I just have the text from your included file directly in
> named.conf file itself.
> 
> Take a quick peek at http://dnssec.co.za
> 
> 
> 
> On 17/05/2016 22:35, t...@it-hluchnik.de wrote:
> > Hi all,
> > 
> > I have a problem with DNSSEC and I dont find a solution. Maybe someone can 
> > help me.
> > 
> > My intention is to run a bind which acts as DNSSEC enabled resolver for my 
> > internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a 
> > precompiled package from OpenBSD, version is 9.10.3-P3.
> > 
> > Configuring my named, I mostly followed a howto from Calomel.org:
> > 
> > https://calomel.org/dns_bind.html
> > 
> > This is my named.conf:
> > 
> > root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
> > acl clients {
> > 127.0.0.0/8;
> > 192.168.21.0/24;
> > ::1;
> > };
> > options {
> > version ""; // remove this to allow version queries
> > listen-on{ 127.0.0.1; 192.168.21.101; };
> > listen-on-v6 { none; };
> > empty-zones-enable yes;
> > allow-query { clients; };
> > allow-recursion { clients; };
> > allow-transfer { none; };
> > include "/etc/root_trusted_key";
> > dnssec-enable yes;
> > dnssec-validation yes;
> > };
> > logging {
> > category lame-servers { null; };
> > };
> > zone "." {
> > type hint;
> > file "etc/root.hint";
> > };
> > zone "localhost" {
> > type master;
> > file "standard/localhost";
> > allow-transfer { localhost; };
> > };
> > zone "127.in-addr.arpa" {
> > type master;
> > file "standard/loopback";
> > allow-transfer { localhost; };
> > };
> > 
> > 
> > As my named is running in a chroot jail, /etc/root_trusted_key is 
> > /var/named/etc/root_trusted_key in reality.
> > 
> > root@bsd59n:/var/named/etc# root_trusted_key
> > managed-keys {
> >"." initial-key 257 3 8 
> > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
> > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
> > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
> > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
> > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
> > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
> > };
> > 
> > root_trusted_key was generated as Calomel howto describes.
> > 
> > Now, when I try to start named with that config, I get a courious error 
> > message:
> > 
> > 
> > root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 
> > 4 -g
> > 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3  -t /var/named 
> > -u _bind -U 4 -g
> > 17-May-2016 21:53:14.644 built with '--enable-shared' 
> > '--enable-filter-' '--enable-threads' '--with-libt
> > ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' 
> > '--prefix=/usr/local' '--sysconfdir=/etc'
> >  '--mandir=/usr/local/man' '--infodir=/usr/local/info' 
> > '--localstatedir=/var' '--disable-silent-rules' '--di
> > sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
> > 17-May-2016 21:53:14.644 
> > 
> > 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems 
> > Consortium,
> > 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
> > 17-May-2016 21:53:14.644 corporation.  Support and training for BIND 9 are
> > 17-May-2016 21:53:14.644 available at https://www.isc.org/support
> > 17-May-2016 21:53:14.644 
> > 
> > 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
> > 17-May-2016 21:53:14.645 using 2 UDP listeners per interface
> > 17-May-2016 21:53:14.648 using up to 4096 sockets
> > 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
> > 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 
> > 'managed-keys'
> > 17-May-2016 21:53:14.686 loading configuration: failure
> > 17-May-2016 21:53:14.686 exiting (due to fatal error)
> > 
> > 
> > But named documentation and "man named.conf" both say that managed-keys 
> > were a valid option.
> > 
> > So what's wrong here? Thanks in advance for any help.
> > 
> > Thomas Hluchnik
> > 
> > 
> >

Trouble with option managed-keys

2016-05-17 Thread thl 
Hi all,

I have a problem with DNSSEC and I dont find a solution. Maybe someone can help 
me.

My intention is to run a bind which acts as DNSSEC enabled resolver for my 
internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a 
precompiled package from OpenBSD, version is 9.10.3-P3.

Configuring my named, I mostly followed a howto from Calomel.org:

https://calomel.org/dns_bind.html

This is my named.conf:

root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf
acl clients {
127.0.0.0/8;
192.168.21.0/24;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on{ 127.0.0.1; 192.168.21.101; };
listen-on-v6 { none; };
empty-zones-enable yes;
allow-query { clients; };
allow-recursion { clients; };
allow-transfer { none; };
include "/etc/root_trusted_key";
dnssec-enable yes;
dnssec-validation yes;
};
logging {
category lame-servers { null; };
};
zone "." {
type hint;
file "etc/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};


As my named is running in a chroot jail, /etc/root_trusted_key is 
/var/named/etc/root_trusted_key in reality.

root@bsd59n:/var/named/etc# root_trusted_key
managed-keys {
   "." initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
};

root_trusted_key was generated as Calomel howto describes.

Now, when I try to start named with that config, I get a courious error message:


root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 -g
17-May-2016 21:53:14.644 starting BIND 9.10.3-P3  -t /var/named -u 
_bind -U 4 -g
17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-' 
'--enable-threads' '--with-libt
ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' 
'--prefix=/usr/local' '--sysconfdir=/etc'
 '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' 
'--disable-silent-rules' '--di
sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
17-May-2016 21:53:14.644 
17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium,
17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit
17-May-2016 21:53:14.644 corporation.  Support and training for BIND 9 are
17-May-2016 21:53:14.644 available at https://www.isc.org/support
17-May-2016 21:53:14.644 
17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads
17-May-2016 21:53:14.645 using 2 UDP listeners per interface
17-May-2016 21:53:14.648 using up to 4096 sockets
17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf'
17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 'managed-keys'
17-May-2016 21:53:14.686 loading configuration: failure
17-May-2016 21:53:14.686 exiting (due to fatal error)


But named documentation and "man named.conf" both say that managed-keys were a 
valid option.

So what's wrong here? Thanks in advance for any help.

Thomas Hluchnik


signature.asc
Description: This is a digitally signed message part.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users