Re: Trouble with option managed-keys
Hello Mark, yes, it works now. Thanks for your prompt help. Thomas Hluchnik Am Tuesday 17 May 2016 22:49:29 schrieb Mark Elkins: > "managed-keys" is not a config option, try moving it outside the option > stanza, eg > > options { > version ""; // remove this to allow version queries > listen-on{ 127.0.0.1; 192.168.21.101; }; > listen-on-v6 { none; }; > empty-zones-enable yes; > allow-query { clients; }; > allow-recursion { clients; }; > allow-transfer { none; }; > dnssec-enable yes; > dnssec-validation yes; > }; > > include "/etc/root_trusted_key"; > > logging { > category lame-servers { null; }; > }; > ... > > Personally, I just have the text from your included file directly in > named.conf file itself. > > Take a quick peek at http://dnssec.co.za > > > > On 17/05/2016 22:35, t...@it-hluchnik.de wrote: > > Hi all, > > > > I have a problem with DNSSEC and I dont find a solution. Maybe someone can > > help me. > > > > My intention is to run a bind which acts as DNSSEC enabled resolver for my > > internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a > > precompiled package from OpenBSD, version is 9.10.3-P3. > > > > Configuring my named, I mostly followed a howto from Calomel.org: > > > > https://calomel.org/dns_bind.html > > > > This is my named.conf: > > > > root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf > > acl clients { > > 127.0.0.0/8; > > 192.168.21.0/24; > > ::1; > > }; > > options { > > version ""; // remove this to allow version queries > > listen-on{ 127.0.0.1; 192.168.21.101; }; > > listen-on-v6 { none; }; > > empty-zones-enable yes; > > allow-query { clients; }; > > allow-recursion { clients; }; > > allow-transfer { none; }; > > include "/etc/root_trusted_key"; > > dnssec-enable yes; > > dnssec-validation yes; > > }; > > logging { > > category lame-servers { null; }; > > }; > > zone "." { > > type hint; > > file "etc/root.hint"; > > }; > > zone "localhost" { > > type master; > > file "standard/localhost"; > > allow-transfer { localhost; }; > > }; > > zone "127.in-addr.arpa" { > > type master; > > file "standard/loopback"; > > allow-transfer { localhost; }; > > }; > > > > > > As my named is running in a chroot jail, /etc/root_trusted_key is > > /var/named/etc/root_trusted_key in reality. > > > > root@bsd59n:/var/named/etc# root_trusted_key > > managed-keys { > >"." initial-key 257 3 8 > > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; > > }; > > > > root_trusted_key was generated as Calomel howto describes. > > > > Now, when I try to start named with that config, I get a courious error > > message: > > > > > > root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U > > 4 -g > > 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 -t /var/named > > -u _bind -U 4 -g > > 17-May-2016 21:53:14.644 built with '--enable-shared' > > '--enable-filter-' '--enable-threads' '--with-libt > > ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' > > '--prefix=/usr/local' '--sysconfdir=/etc' > > '--mandir=/usr/local/man' '--infodir=/usr/local/info' > > '--localstatedir=/var' '--disable-silent-rules' '--di > > sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' > > 17-May-2016 21:53:14.644 > > > > 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems > > Consortium, > > 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit > > 17-May-2016 21:53:14.644 corporation. Support and training for BIND 9 are > > 17-May-2016 21:53:14.644 available at https://www.isc.org/support > > 17-May-2016 21:53:14.644 > > > > 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads > > 17-May-2016 21:53:14.645 using 2 UDP listeners per interface > > 17-May-2016 21:53:14.648 using up to 4096 sockets > > 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf' > > 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option > > 'managed-keys' > > 17-May-2016 21:53:14.686 loading configuration: failure > > 17-May-2016 21:53:14.686 exiting (due to fatal error) > > > > > > But named documentation and "man named.conf" both say that managed-keys > > were a valid option. > > > > So what's wrong here? Thanks in advance for any help. > > > > Thomas Hluchnik > > > > > >
Re: Trouble with option managed-keys
"managed-keys" is not a config option, try moving it outside the option stanza, eg options { version ""; // remove this to allow version queries listen-on{ 127.0.0.1; 192.168.21.101; }; listen-on-v6 { none; }; empty-zones-enable yes; allow-query { clients; }; allow-recursion { clients; }; allow-transfer { none; }; dnssec-enable yes; dnssec-validation yes; }; include "/etc/root_trusted_key"; logging { category lame-servers { null; }; }; ... Personally, I just have the text from your included file directly in named.conf file itself. Take a quick peek at http://dnssec.co.za On 17/05/2016 22:35, t...@it-hluchnik.de wrote: > Hi all, > > I have a problem with DNSSEC and I dont find a solution. Maybe someone can > help me. > > My intention is to run a bind which acts as DNSSEC enabled resolver for my > internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a > precompiled package from OpenBSD, version is 9.10.3-P3. > > Configuring my named, I mostly followed a howto from Calomel.org: > > https://calomel.org/dns_bind.html > > This is my named.conf: > > root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf > acl clients { > 127.0.0.0/8; > 192.168.21.0/24; > ::1; > }; > options { > version ""; // remove this to allow version queries > listen-on{ 127.0.0.1; 192.168.21.101; }; > listen-on-v6 { none; }; > empty-zones-enable yes; > allow-query { clients; }; > allow-recursion { clients; }; > allow-transfer { none; }; > include "/etc/root_trusted_key"; > dnssec-enable yes; > dnssec-validation yes; > }; > logging { > category lame-servers { null; }; > }; > zone "." { > type hint; > file "etc/root.hint"; > }; > zone "localhost" { > type master; > file "standard/localhost"; > allow-transfer { localhost; }; > }; > zone "127.in-addr.arpa" { > type master; > file "standard/loopback"; > allow-transfer { localhost; }; > }; > > > As my named is running in a chroot jail, /etc/root_trusted_key is > /var/named/etc/root_trusted_key in reality. > > root@bsd59n:/var/named/etc# root_trusted_key > managed-keys { >"." initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; > }; > > root_trusted_key was generated as Calomel howto describes. > > Now, when I try to start named with that config, I get a courious error > message: > > > root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 > -g > 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 -t /var/named > -u _bind -U 4 -g > 17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-' > '--enable-threads' '--with-libt > ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' > '--prefix=/usr/local' '--sysconfdir=/etc' > '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' > '--disable-silent-rules' '--di > sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' > 17-May-2016 21:53:14.644 > 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium, > 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 17-May-2016 21:53:14.644 corporation. Support and training for BIND 9 are > 17-May-2016 21:53:14.644 available at https://www.isc.org/support > 17-May-2016 21:53:14.644 > 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads > 17-May-2016 21:53:14.645 using 2 UDP listeners per interface > 17-May-2016 21:53:14.648 using up to 4096 sockets > 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf' > 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option > 'managed-keys' > 17-May-2016 21:53:14.686 loading configuration: failure > 17-May-2016 21:53:14.686 exiting (due to fatal error) > > > But named documentation and "man named.conf" both say that managed-keys were > a valid option. > > So what's wrong here? Thanks in advance for any help. > > Thomas Hluchnik > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA:
Trouble with option managed-keys
Hi all, I have a problem with DNSSEC and I dont find a solution. Maybe someone can help me. My intention is to run a bind which acts as DNSSEC enabled resolver for my internal LAN. This runs on a VirtualBox instance with OpenBSD 5.9. I got a precompiled package from OpenBSD, version is 9.10.3-P3. Configuring my named, I mostly followed a howto from Calomel.org: https://calomel.org/dns_bind.html This is my named.conf: root@bsd59n:/var/named/etc# egrep -v '^ *#|^ *$|^\/\/' named.conf acl clients { 127.0.0.0/8; 192.168.21.0/24; ::1; }; options { version ""; // remove this to allow version queries listen-on{ 127.0.0.1; 192.168.21.101; }; listen-on-v6 { none; }; empty-zones-enable yes; allow-query { clients; }; allow-recursion { clients; }; allow-transfer { none; }; include "/etc/root_trusted_key"; dnssec-enable yes; dnssec-validation yes; }; logging { category lame-servers { null; }; }; zone "." { type hint; file "etc/root.hint"; }; zone "localhost" { type master; file "standard/localhost"; allow-transfer { localhost; }; }; zone "127.in-addr.arpa" { type master; file "standard/loopback"; allow-transfer { localhost; }; }; As my named is running in a chroot jail, /etc/root_trusted_key is /var/named/etc/root_trusted_key in reality. root@bsd59n:/var/named/etc# root_trusted_key managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; }; root_trusted_key was generated as Calomel howto describes. Now, when I try to start named with that config, I get a courious error message: root@bsd59n:/var/named/etc# /usr/local/sbin/named -t /var/named -u _bind -U 4 -g 17-May-2016 21:53:14.644 starting BIND 9.10.3-P3 -t /var/named -u _bind -U 4 -g 17-May-2016 21:53:14.644 built with '--enable-shared' '--enable-filter-' '--enable-threads' '--with-libt ool' '--without-readline' '--with-python=/usr/local/bin/python2.7' '--prefix=/usr/local' '--sysconfdir=/etc' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var' '--disable-silent-rules' '--di sable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 17-May-2016 21:53:14.644 17-May-2016 21:53:14.644 BIND 9 is maintained by Internet Systems Consortium, 17-May-2016 21:53:14.644 Inc. (ISC), a non-profit 501(c)(3) public-benefit 17-May-2016 21:53:14.644 corporation. Support and training for BIND 9 are 17-May-2016 21:53:14.644 available at https://www.isc.org/support 17-May-2016 21:53:14.644 17-May-2016 21:53:14.645 found 2 CPUs, using 2 worker threads 17-May-2016 21:53:14.645 using 2 UDP listeners per interface 17-May-2016 21:53:14.648 using up to 4096 sockets 17-May-2016 21:53:14.681 loading configuration from '/etc/named.conf' 17-May-2016 21:53:14.683 /etc/root_trusted_key:1: unknown option 'managed-keys' 17-May-2016 21:53:14.686 loading configuration: failure 17-May-2016 21:53:14.686 exiting (due to fatal error) But named documentation and "man named.conf" both say that managed-keys were a valid option. So what's wrong here? Thanks in advance for any help. Thomas Hluchnik signature.asc Description: This is a digitally signed message part. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users