$INCLUDE Kexamle.com.+007...

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

$INCLUDE Kexamle.com.+007...

@lbutlr
When a domain configuration file contains an include line for the key, where is that include looking for the key file?

I'm in a situation where the keys seems to work fine for updating DNSSEC, but nsdiff complains the key file is not found.

Obviously something in named.conf or the domain file is off as far as nstiff is concerned, and I’d like to fix it, but it’s hard to debug when the actual key update is working.

In Named.conf I have
key-directory   "/usr/local/etc/namedb/working/keys”;

And that is where the keyholes are stored.

But nsdiff returns an error the key file cannot be found.

Or I am using nstiff improperly?


nsdiff -k admin.key covisp.net  working/master/covisp.net
nsdiff: loading zone covisp.net. via AXFR from ns1.covisp.net.
zone covisp.net/IN: loaded serial 2019022695 (DNSSEC signed)
OK
nsdiff: loading zone covisp.net. from file working/master/covisp.net
dns_master_load: working/master/covisp.net:48: Kcovisp.net.+007+34178.key: file not found
dns_master_load: working/master/covisp.net:49: Kcovisp.net.+007+46143.key: file not found
zone covisp.net/IN: loading from master file working/master/covisp.net failed: file not found
zone covisp.net/IN: not loaded due to errors.
nsdiff: missing SOA record

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: $INCLUDE Kexamle.com.+007...

Tony Finch
@lbutlr <[hidden email]> wrote:

> When a domain configuration file contains an include line for the key,
> where is that include looking for the key file?

... good question, I have avoided having to find that out ...

> I'm in a situation where the keys seems to work fine for updating
> DNSSEC, but nsdiff complains the key file is not found.

Well, nsdiff uses named-compilezone to canonicalize zone files, and the
named-compilezone manual lists a couple of options that affect $INCLUDE:

       -t directory
              Chroot to directory so that include directives in the configura‐
              tion file are processed as if run by a similarly chrooted named.

       -w directory
              chdir  to  directory  so  that relative filenames in master file
              $INCLUDE directives work.  This  is  similar  to  the  directory
              clause in named.conf.

So it sounds like "the current directory" is the answer to your question.

However, I don't think you need to $INCLUDE key files. I think maybe that
used to be a thing when signing a zone had to involve dnssec-signzone? But
nowadays even dnssec-signzone will automatically insert public keys into
the signed zone.

When you're doing automatic signing with named (which you have to do if
you are using nsupdate to alter the zone), the keys are included in the
signed zone based on their timing metatata, which you can set with
dnssec-settime. [There's also the new key policy stuff which I have not
yet tried out properly.]

So the actual answer is, you don't explicitly $INCLUDE the keys in the
zone, so questions about current directories do not arise.

Does that make sense?

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Lough Foyle to Carlingford Lough: Southwest veering west, 6 to gale 8, then
veering northwest 4 to 6 later. Moderate or rough, becoming slight or moderate
south of rathlin island. Showers,thundery at first. Good, occasionally
moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: $INCLUDE Kexamle.com.+007...

@lbutlr
On 05 Jul 2020, at 10:12, Tony Finch <[hidden email]> wrote:
> @lbutlr <[hidden email]> wrote:
>
>> When a domain configuration file contains an include line for the key,
>> where is that include looking for the key file?
>
> ... good question, I have avoided having to find that out ...

Heh.

> So it sounds like "the current directory" is the answer to your question.

That would certainly explain why it fails then.

> However, I don't think you need to $INCLUDE key files. I think maybe that
> used to be a thing when signing a zone had to involve dnssec-signzone? But
> nowadays even dnssec-signzone will automatically insert public keys into
> the signed zone.

Ah, that would be good. When I resolve the other issue I posted about I will check that.

My configuration started in … um… 1995? I'm sure I should start all over with the 9.16 manual from scratch, but you know, I have all this TV to watch. 😃

> Does that make sense?

It does, and thank you.



--
It's against my programming to impersonate a deity.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users