Re: Hláška v logu Bindu (Petr Simek)

Martin Och martin na och.cz
Pátek Leden 7 08:33:49 CET 2011


----- Original Message -----
> From: "Vítězslav Kašička" <vkasicka na seznam.cz>
> To: linux na linux.cz
> Sent: Thursday, January 6, 2011 6:01:14 PM
> Subject: Re: Hláška v logu Bindu (Petr Simek)
> 
> A když se pokusím zapnout DNSSEC tak mi to vyhodí tyto hlášky:
> 
> 05-Jan-2011 07:06:49.816 general: error: managed-keys-zone ./IN:
> loading from master file managed-keys.bind failed: file not found
> 05-Jan-2011 07:06:49.817 general: error: managed-keys.bind.jnl:
> create: permission denied
> 05-Jan-2011 07:06:49.817 general: error: managed-keys-zone ./IN:
> sync_keyzone:dns_journal_open -> unexpected error
> 
> 05-Jan-2011 07:06:49.817 general: info: managed-keys-zone ./IN: loaded
> serial 0
> 05-Jan-2011 07:06:49.819 general: notice: running
> 05-Jan-2011 07:06:49.864 general: error: managed-keys.bind.jnl:
> create: permission denied
> 05-Jan-2011 07:06:49.864 general: error: managed-keys-zone ./IN:
> keyfetch_done:dns_journal_open -> unexpected error
> 
> A pak se opakuje pro každý dotaz tohle:
> 05-Jan-2011 07:07:26.250 lame-servers: info: error (insecurity proof
> failed) resolving 'cz/NS/IN': 213.46.172.37#53
> 05-Jan-2011 07:07:26.265 dnssec: info: validating @0x251b430: cz NS:
> got insecure response; parent indicates it should be secure
> 

Mate to jasne napsane, permision denied.
Vse je popsane v ruznych howto, napr. na NICu. Doporucuji posl. verzi BINDu BIND 9.7.2-P3, predchozi mela v DNSSEC bug.
Kdyz to udelate jak popisuju nize, tak to pojede :)

- named.conf options "musi" obsahovat:
      dnssec-enable yes;
      dnssec-validation yes;
      dnssec-lookaside . trust-anchor dlv.isc.org.;
      directory "/home/named"; // musi byt zapisovatelny pro uzivatele pod kterym bezi named (u me named)
      bindkeys-file "/home/named/bind.keys"; //to tu byt nemusi, ale at je vse v jednom adresari
 
- named.conf musi obsahovat sekci managed-keys s uvedenym aspon root klicem, ja tam mam i dlv
managed-keys {
  "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
  FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
  X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
  Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

  "dlv.isc.org." initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
  brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
  ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
  QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};

- named.conf obsahuje
include "trusted-keys.conf";

1x za mesic delam
/usr/bin/wget https://www.ripe.net/dnssec-keys/ripe-ncc-dnssec-ta.txt -O /home/named/trusted-keys.conf >>$logfile 2>>$logfile
rndc reload 

Dejte vedet jak jste dopad' 

--
Martin Och
http://www.och.cz
http://www.3foto.cz



Další informace o konferenci Linux