NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

reed%reedmedia.net@localhost writes:

> On Thu, 19 Mar 2020, Greg Troxel wrote:
>
>> I changed
>> 
>>    dnssec-validation: auto
>> 
>> to
>> 
>>    dnssec-validation: yes
>
> Are you saying this fixed your problem?

Yes, I think it does.  However nothing seems 100% reliable so I can't
claim that with certainty.

>> after finding this hint:
>> 
>> https://kb.isc.org/docs/aa-01547
>> 
>>   dnssec-validation yes; or dnssec-validation auto; (the former requires
>>   manually-configured trust anchors using trusted-keys or managed-keys;
>>   the latter will use BIND's built-in managed keys)
>> 
>> it seems that auto uses built-in keys, and yes uses the keys in
>> keys/managed-keys.bind.
>
> That is reverse of your quoted statement above.

I don't think so.   It seems that "auto", which starts with builtin keys
or bind.keys, was failing, and "yes", which would use the managed-keys
file (which had been maintained by bind) was working.

>> But, I wonder if our keys on the netbsd-8 branch need to be updated.
>
> "auto" uses managed-keys and should update automatically to get the 
> trusted keys. See the data pointed to by the bindkeys-file setting (like 
> /etc/namedb/bind.keys or /etc/bind.keys). There could be a dynamic jnl 
> file associated with it.  I can help analyze these files for you.

I am reading it differently.

> Try using: 
>   rndc managed-keys status

$ rndc managed-keys status
rndc: 'managed-keys' failed: unknown command

This is named 9.10 as shipped with netbsd-8.  It seems I should update
to 9 and/or install from pkgsrc.


> "yes" would just use the keys you manually defined (with trusted-keys or 
> your own managed-keys statement).

Ah, but I do have

          managed-keys-directory "keys";

which is in /etc/named.conf in etc.tgz.  I generally try hard to have my
etc files match the release except for changes that I understand.

> Maybe you disabled dnssec-validation since no extra config?

no; config to follow

> Do you have other dnssec validation problems for other domains?

Not that I have noticed.

> Maybe problem is with that domain itself?  But a quick look at it and it 
> appears to be good.

I suspected the domain, but everything points to my config.

My config file starts out (now that I changed auto to yes):

options {
        directory "/etc/namedb";
        dnssec-enable yes;
        dnssec-validation yes;
        managed-keys-directory "keys";
        bindkeys-file "bind.keys";
        allow-recursion { acl_recursive_query; };
};

and dnssec-validation used to be auto.  With dnssec-validation yes, I
think bindkeys-file is ignored.

keys/managed-keys.bind has something that looks current

$ORIGIN .
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                14050      ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
                                )
                        KEYDATA 20200320223835 20200319223835 19700101000000 257 3 8 (
                                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                                ) ; KSK; alg = RSASHA256; key id = 20326
                                ; next refresh: Fri, 20 Mar 2020 22:38:35 GMT
                                ; trusted since: Thu, 19 Mar 2020 22:38:35 GMT

and the jnl file is basically empty:

;BIND LOG V9
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@8^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Home | Main Index | Thread Index | Old Index