Re: F12 Bind and Dnssec
Date: Tue, 24 Nov 2009 08:22:21 -0800 From: wolfgang.ruppre...@gmail.com (Wolfgang S. Rupprecht) Subject: Re: F12 Bind and Dnssec To: fedora-list@redhat.com Message-ID: 87ljhvgaf6@arbol.wsrcc.com Content-Type: text/plain; charset=us-ascii Ed Gurski e...@gurski.com writes: I noticed that early this morning, changed it and still had the same problem. I'm wondering if SELinux is getting in the way? It is still saying expected IP address near 'dnssec-enable'? This is after a service dns restart? You are really editing /etc/named.conf and there isn't a typo somewhere? That doesn't feel like an selinux issue at all. It seems like the BIND parser thinks you are giving it the dnssec-enable in the context where it was expecting an address. I wonder if named-checkconf will tell you anything useful. -wolfgang Wolfgang: Found the problem. It wasn't anything I waas looking at. Instead it was the file /etc/pki/dnssec-keys/named.dnssec.keys file that was corrupted? Not sure how that happened, but I installed Bind on another F12 machine with the same configuration (except the DNS server was the new machine) and everything worked. I then noticed that the named.dnssec.key file size was different, so I copied it over and now it's working properly. I still get no valid DS resolving xx, so I'm not sure what else I need to do... thanks again and sorry for the late reply... -- Ed Gurski Linux User # 458454 http://counter.li.org On Tue, 2009-11-24 at 12:00 -0500, fedora-list-requ...@redhat.com wrote: -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Bind and Dnssec
Ed Gurski e...@gurski.com writes: Found the problem. It wasn't anything I waas looking at. Instead it was the file /etc/pki/dnssec-keys/named.dnssec.keys file that was corrupted? I wonder what else is corrupted. My personal feeling is that corruptions and mysterious bugs like this are serious enough that one should first figure out what is going on before wasting time chasing other bugs created by a flakey system. I still get no valid DS resolving xx, so I'm not sure what else I need to do... Are the other dns config files ok? The stock BIND config in f12 should work fine. Start with that and then slowly fold your local changes in and see where it stops working. Are you trying to run dnssec on your local zones and forgot to put a DS record in the parent zone of some subzone? -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Bind and Dnssec
Ed Gurski e...@gurski.com writes: forwarders { // OpenDNS 208.67.222.222; 208.67.220.220; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; }; Try: ... forwarders { // OpenDNS 208.67.222.222; 208.67.220.220; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; You had the dnssec-* stuff inside your forwarders list by mistake. -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Bind and Dnssec
On Tue, 2009-11-24 at 10:44 -0500, fedora-list-requ...@redhat.com wrote: Date: Tue, 24 Nov 2009 04:54:30 -0800 From: wolfgang.ruppre...@gmail.com (Wolfgang S. Rupprecht) Subject: Re: F12 Bind and Dnssec To: fedora-list@redhat.com Message-ID: 87tywkgk1l@arbol.wsrcc.com Content-Type: text/plain; charset=us-ascii Ed Gurski e...@gurski.com writes: forwarders { // OpenDNS 208.67.222.222; 208.67.220.220; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; }; Try: ... forwarders { // OpenDNS 208.67.222.222; 208.67.220.220; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; You had the dnssec-* stuff inside your forwarders list by mistake. -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? Wolfgang: I noticed that early this morning, changed it and still had the same problem. I'm wondering if SELinux is getting in the way? Thanks -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Bind and Dnssec
Ed Gurski e...@gurski.com writes: I noticed that early this morning, changed it and still had the same problem. I'm wondering if SELinux is getting in the way? It is still saying expected IP address near 'dnssec-enable'? This is after a service dns restart? You are really editing /etc/named.conf and there isn't a typo somewhere? That doesn't feel like an selinux issue at all. It seems like the BIND parser thinks you are giving it the dnssec-enable in the context where it was expecting an address. I wonder if named-checkconf will tell you anything useful. -wolfgang -- Wolfgang S. Rupprecht If the airwaves belong to the public why does the public only get 3 non-overlapping WIFI channels? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
F12 Bind and Dnssec
I just installed F12 fn a preciously running F11 machine. I backed up all my configurations and for the most part everything is back up and running except for Bind. I know that in F11 BIND introduced DNSSEC and I had it working perfectly. Now in F12, BIND fails with the following message: expected IP address near 'dnssec-enable' Here is a copy of my named.conf (it is chroot'ed and Selinux is in permissive mode): options { directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; listen-on { 10.25.240.10;}; // forward first; forward only; forwarders { // OpenDNS 208.67.222.222; 208.67.220.220; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; }; }; Has something changed in F12 Thanks -- Ed Gurski Linux User # 458454 http://counter.li.org -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F12 Bind and Dnssec
On Mon, 2009-11-23 at 22:38 -0500, Ed Gurski wrote: expected IP address near 'dnssec-enable' dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; I haven't played with Fedora 12 and dnssec, yet, just simpler DNS configuration on prior Fedora releases, but I wonder whether a simple syntax error is causing a parsing problem. I see an example of that sort of configuration, but theirs has quotes around the dot and the domain name. e.g. dnssec-lookaside . trust-anchor dlv.isc.org.; See: http://www.nlnetlabs.nl/publications/dnssec_howto/index.html -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines