auto update signatures dnssec

Discussion:

fakessh @

2010-12-26 23:25:56 UTC

hello bind network

good day and merry christmas.

I just put in place guidelines in bind config to update the signatures
dnssec
I'm looking for options that require the least amount of maintenace that
all updates of signatures are performed without any external intervention

i quote my named conf

zone "fakessh.eu" {
type master;
file "/var/named/fakessh.eu.hosts";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/keyset-fakessh.eu";
allow-transfer { 213.251.188.140;87.98.164.164;
195.234.42.1;94.23.59.30; };
};

is what the guidelines are good options

my named
~]# rpm -qa | egrep bind
bind-9.7.0-5.P2.el5
bind-devel-9.7.0-5.P2.el5
bind-sdb-9.7.0-5.P2.el5
bind-utils-9.7.0-5.P2.el5
bind-libs-9.7.0-5.P2.el5

i use CentOS 5.5 with custom kernel

many returns are welcome

sincerely
- --
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
gpg --keyserver pgp.mit.edu --recv-key 092164A7

fakessh

2010-12-27 06:07:58 UTC

Permalink

Alan Clegg

2010-12-27 13:48:36 UTC

Permalink

Post by fakessh @
good day and merry christmas.

Thanks, and to you as well.

Post by fakessh @
I just put in place guidelines in bind config to update the signatures
dnssec
I'm looking for options that require the least amount of maintenace that
all updates of signatures are performed without any external intervention
i quote my named conf
zone "fakessh.eu" {
type master;
file "/var/named/fakessh.eu.hosts";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/keyset-fakessh.eu";
allow-transfer { 213.251.188.140;87.98.164.164;
195.234.42.1;94.23.59.30; };
};
is what the guidelines are good options

A bit more interesting is the command that you used to sign the zone.
When signatures reach 3/4 lifetime, the associated record is
automatically re-signed.

Additionally, when new keys are made available signatures will created
based on the timing meta-data in the keys..

Overall, the defaults seem to be "good enough" for nearly everyone.

AlanC

fakessh @

2010-12-28 21:15:22 UTC

Permalink

sorry for the top box on alan clegg

Post by Alan Clegg

Post by fakessh @
good day and merry christmas.

Thanks, and to you as well.

A bit more interesting is the command that you used to sign the zone.
When signatures reach 3/4 lifetime, the associated record is
automatically re-signed.
Additionally, when new keys are made available signatures will created
based on the timing meta-data in the keys..
Overall, the defaults seem to be "good enough" for nearly everyone.
AlanC

hello responsible bind community.

you gave me the answer, thank you to my question but I am having new
problems.

I encounter errors during the self resignatures

i quote my multiple error :

I do not know what it is

Dec 28 22:04:02 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:02 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: zone r13151.ovh.net/IN: sending
notifies (serial 2010111401)
Dec 28 22:04:02 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:02 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14118 PROTO=UDP SPT=41425 DPT=53 LEN=128
Dec 28 22:04:02 r13151 named-sdb[24511]: zone fakessh.eu/IN: setting
keywarntime to 1294213060 - 7 days
Dec 28 22:04:03 r13151 kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=94.23.60.214 DST=88.191.64.64 LEN=148 TOS=0x00 PREC=0x00 TTL=64
ID=14119 PROTO=UDP SPT=35445 DPT=53 LEN=128
Dec 28 22:04:03 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:03 r13151
named-sdb[24511]: /var/named/fakessh.eu.hosts.jnl: create: permission
denied
Dec 28 22:04:03 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:03 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
sending notifies (serial 2010120601)
Dec 28 22:04:03 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/64823: file not found
Dec 28 22:04:04 r13151
named-sdb[24511]: /var/named/nicolaspichot.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:04 r13151 named-sdb[24511]: zone fakessh.eu/IN:
zone_resigninc:dns_db_getsigningtime -> not found
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file renelacroute.fr/DSA/57237: file not found
Dec 28 22:04:04 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error
Dec 28 22:04:04 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
setting keywarntime to 1294212898 - 7 days
Dec 28 22:04:04 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/37015: file not found
Dec 28 22:04:05 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file nicolaspichot.fr/DSA/7246: file not found
Dec 28 22:04:05 r13151
named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create:
permission denied
Dec 28 22:04:05 r13151 named-sdb[24511]: zone nicolaspichot.fr/IN:
zone_resigninc:dns_db_getsigningtime -> not found
Dec 28 22:04:05 r13151 named-sdb[24511]: zone renelacroute.fr/IN:
zone_resigninc:dns_journal_open -> unexpected error

Post by Alan Clegg
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7

Torinthiel

2010-12-28 21:23:55 UTC

Permalink

Post by fakessh @

Post by fakessh @
zone "fakessh.eu" {
type master;
file "/var/named/fakessh.eu.hosts";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/keyset-fakessh.eu";
allow-transfer { 213.251.188.140;87.98.164.164;
195.234.42.1;94.23.59.30; };
};
is what the guidelines are good options

hello responsible bind community.
you gave me the answer, thank you to my question but I am having new
problems.
I encounter errors during the self resignatures
I do not know what it is

[cut most log entries]

Post by fakessh @
Dec 28 22:04:02 r13151
permission denied
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/9552: file not found
Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error
reading private key file fakessh.eu/DSA/47103: file not found

First, where are the key files, related to bind directory (the one in
options { directory })?
Are the names correctly given to bind?
it looks like bind cannot find them.

Second, you need to give the user runing bind (probably named) rights to
write to /var/named/renelacroute.fr.hosts.jnl directory.
Torinthiel

fakessh @

2010-12-28 22:04:17 UTC

Permalink

Post by fakessh @
permission denied

Permissions are wrong on /var/named -- the named process needs to be
able to write into it.

Post by fakessh @
error reading private key file fakessh.eu/DSA/9552: file not found

It seems that the .key and .private files are not in the right place.
Fix those two and I bet the rest go away...
AlanC

what is the right place ? AlanC
i look the permissions after correction this seems correct

--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7

Alan Clegg

2010-12-28 22:08:25 UTC

Permalink

Post by fakessh @

Post by fakessh @
error reading private key file fakessh.eu/DSA/9552: file not found

It seems that the .key and .private files are not in the right place.

what is the right place ?

In your named.conf, you should have "key-directory <...>;" defined. The
keys should be there (and readable by the named process).

If you don't have a "key-directory" statement, then named will look in
the working directory from which the process was started (which is
normally a bad idea...)

AlanC

G.W. Haywood

2010-12-29 09:03:39 UTC

Permalink

Hi there,

Post by Alan Clegg
In your named.conf, you should have "key-directory <...>;" defined. The
keys should be there (and readable by the named process).
If you don't have a "key-directory" statement, then named will look in
the working directory from which the process was started (which is
normally a bad idea...)

Perhaps named-checkconf should issue a warning if it finds that this
option is not defined?

--

73,
Ged.