To:
dnsop@cafax.se
cc:
bind9-bugs@isc.org
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 11 Mar 2002 23:39:22 -0500
Sender:
owner-dnsop@cafax.se
Subject:
nsupdate and DNSSEC
-----BEGIN PGP SIGNED MESSAGE----- I am attempting to test the secure-ddns-howto instructions before I leave. I do: marajade-[/etc/namedb] root 7 #nsupdate -v -k Kmarajade.dasblinkenled.org.+157+32846.key > server 192.139.46.30 > zone dasblinkenled.org > update delete marajade.dasblinkenled.org A > update add marajade.dasblinkenled.org 3600 A 192.139.46.20 > send > EOF and on the server, in the logs, I see: Mar 11 22:46:46.721 update: info: client 192.139.46.20#65215: updating zone 'das blinkenled.org/IN': deleting an rrset Mar 11 22:46:46.734 update: info: client 192.139.46.20#65215: updating zone 'das blinkenled.org/IN': adding an RR Mar 11 22:46:46.746 update: error: could not get zone keys for secure dynamic up date Mar 11 22:46:46.747 update: error: client 192.139.46.20#65215: updating zone 'da sblinkenled.org/IN': SIG/NXT update failed: file not found So, I need to let bind know where the private key for the zone is so that it can sign the new records. I have been through the bind 9.2.0 manual with a fine tooth comb. I do not see any place to inform bind 9.2.0 about the private key file for signing a zone. I then grep'ed the source code for the error message and followed some of the functions via etags. Not obvious that the K*.key files MUST be in your designed directory. I had them in a subdirectory. Having figured this out, I now see one sentence in: Bv9ARM.ch04.html#AEN932 > Note that the DNSSEC tools require the keyset and signedkey files to be in > the working directory, and that the tools shipped with BIND 9.0.x are not > fully compatible with the current ones. It is probably worth emphasizing why this is required. It isn't required for dnssec-signzone, since you have to tell it the file names anyway. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPI2Gd4qHRg3pndX9AQGfOAQAz4P0NF7Orx5xGtXWgpOY7CyhITq4Xkvm TMtQUVvCsoGiE4Nl6+g8QQ1YM0NSCVp7QT1YLD+Ur3O9PwV6WEdfUZP0DLukLTGv JZqOCCaIujIy1KOR2OxxbgUufMYmmehvNhziRhjptAg9aXaafnUKCjdI5LxGnJ9T GiYi8h3OZhE= =yN0j -----END PGP SIGNATURE-----