To:
dnsop@cafax.se
cc:
bind9-bugs@isc.org
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 11 Mar 2002 23:39:22 -0500
Sender:
owner-dnsop@cafax.se
Subject:
nsupdate and DNSSEC
-----BEGIN PGP SIGNED MESSAGE-----
I am attempting to test the secure-ddns-howto instructions before I leave.
I do:
marajade-[/etc/namedb] root 7 #nsupdate -v -k Kmarajade.dasblinkenled.org.+157+32846.key
> server 192.139.46.30
> zone dasblinkenled.org
> update delete marajade.dasblinkenled.org A
> update add marajade.dasblinkenled.org 3600 A 192.139.46.20
> send
> EOF
and on the server, in the logs, I see:
Mar 11 22:46:46.721 update: info: client 192.139.46.20#65215: updating zone 'das
blinkenled.org/IN': deleting an rrset
Mar 11 22:46:46.734 update: info: client 192.139.46.20#65215: updating zone 'das
blinkenled.org/IN': adding an RR
Mar 11 22:46:46.746 update: error: could not get zone keys for secure dynamic up
date
Mar 11 22:46:46.747 update: error: client 192.139.46.20#65215: updating zone 'da
sblinkenled.org/IN': SIG/NXT update failed: file not found
So, I need to let bind know where the private key for the zone is so that
it can sign the new records.
I have been through the bind 9.2.0 manual with a fine tooth comb. I do not
see any place to inform bind 9.2.0 about the private key file for signing a
zone.
I then grep'ed the source code for the error message and followed some of
the functions via etags.
Not obvious that the K*.key files MUST be in your designed directory. I had
them in a subdirectory. Having figured this out, I now see one sentence in:
Bv9ARM.ch04.html#AEN932
> Note that the DNSSEC tools require the keyset and signedkey files to be in
> the working directory, and that the tools shipped with BIND 9.0.x are not
> fully compatible with the current ones.
It is probably worth emphasizing why this is required. It isn't required
for dnssec-signzone, since you have to tell it the file names anyway.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPI2Gd4qHRg3pndX9AQGfOAQAz4P0NF7Orx5xGtXWgpOY7CyhITq4Xkvm
TMtQUVvCsoGiE4Nl6+g8QQ1YM0NSCVp7QT1YLD+Ur3O9PwV6WEdfUZP0DLukLTGv
JZqOCCaIujIy1KOR2OxxbgUufMYmmehvNhziRhjptAg9aXaafnUKCjdI5LxGnJ9T
GiYi8h3OZhE=
=yN0j
-----END PGP SIGNATURE-----