1 Reply Latest reply: Aug 14, 2012 3:22 PM by SpoiledReBelle
tArre Level 1 Level 1 (85 points)

Hi all!


Just for archive purpouses, because i think i've just solved that!

This is a solution to that, with a final question for gurus and partners.


i've watch that error on /Library/Logs/named.log:

     managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loading from master file XXXXXXXX.mkeys failed: file not found


i'm worry about this error beacuse it seems to be related to DNSSEC keys failed to be loaded for the root "." dns servers.


if i can't trust root servers... how can i trust any other dns queries?! =)


in my /etc/named.conf I only see this line related to keys:

     include "/etc/rndc.key";


in other *nix distributions i used to see also this line:

     include "/etc/bind.key";


So i look for this file and found it in /etc/bind.keys


Following instructions in /etc/bind.keys header, i've added the "manages-keys" at the end of my named.conf


# /etc/bind.keys

# (...)

# This file also contains a copy of the trust anchor for the DNS root zone

# (".").  However, named does not use it; it is provided here for

# informational purposes only.  To switch on DNSSEC validation at the

# root, the root key below can be copied into named.conf.



After restart the DNS service the named.log show me that:


29-Sep-2011 13:16:16.900 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loading from master file 7f737fd4dc4fec34dd276a5842ba8a5370c4a8ddba94a5002e26b5e8d7122d44.mkeys failed: file not found

29-Sep-2011 13:16:16.904 running

29-Sep-2011 13:16:20.964 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: No DNSKEY RRSIGs found for '.': success

29-Sep-2011 13:16:20.968 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: No DNSKEY RRSIGs found for 'dlv.isc.org': success


i love success =) but unfortunatelly, the "missing file" error keeps there...


i continue reading /etc/bind.keys header, and i see:

# The built-in DLV trust anchor in this file is used directly by named.

# However, it is not activated unless specifically switched on.  To use

# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.

# Without this option being set, the key in this file is ignored.


... so i added at the "options {}" section of my named.conf the following:

     dnssec-lookaside auto;


I restarted the service, and:

     29-Sep-2011 13:23:10.162 running


great! =)

hope that helps!



And finally here comes my question, is that properly done?, and is bind/named getting automaticly the right keys, and performing the checks?




Xserve, Mac OS X (10.7.1)