managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loading from master file XXXXXXXX.mkeys failed: file not found
Hi all!
Just for archive purpouses, because i think i've just solved that!
This is a solution to that, with a final question for gurus and partners.
i've watch that error on /Library/Logs/named.log:
managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loading from master file XXXXXXXX.mkeys failed: file not found
i'm worry about this error beacuse it seems to be related to DNSSEC keys failed to be loaded for the root "." dns servers.
if i can't trust root servers... how can i trust any other dns queries?! =)
in my /etc/named.conf I only see this line related to keys:
include "/etc/rndc.key";
in other *nix distributions i used to see also this line:
include "/etc/bind.key";
So i look for this file and found it in /etc/bind.keys
Following instructions in /etc/bind.keys header, i've added the "manages-keys" at the end of my named.conf
# /etc/bind.keys
# (...)
# This file also contains a copy of the trust anchor for the DNS root zone
# ("."). However, named does not use it; it is provided here for
# informational purposes only. To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
(...)
After restart the DNS service the named.log show me that:
29-Sep-2011 13:16:16.900 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loading from master file 7f737fd4dc4fec34dd276a5842ba8a5370c4a8ddba94a5002e26b5e8d7122d44.mkeys failed: file not found
29-Sep-2011 13:16:16.904 running
29-Sep-2011 13:16:20.964 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: No DNSKEY RRSIGs found for '.': success
29-Sep-2011 13:16:20.968 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: No DNSKEY RRSIGs found for 'dlv.isc.org': success
i love success =) but unfortunatelly, the "missing file" error keeps there...
i continue reading /etc/bind.keys header, and i see:
# The built-in DLV trust anchor in this file is used directly by named.
# However, it is not activated unless specifically switched on. To use
# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.
# Without this option being set, the key in this file is ignored.
... so i added at the "options {}" section of my named.conf the following:
dnssec-lookaside auto;
I restarted the service, and:
29-Sep-2011 13:23:10.162 running
great! =)
hope that helps!
And finally here comes my question, is that properly done?, and is bind/named getting automaticly the right keys, and performing the checks?
thanks!
t
Xserve, Mac OS X (10.7.1)