dnssec-validation auto vs yes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

dnssec-validation auto vs yes

Bind-Users forum mailing list

Hi,

The default BIND9 installation for CentOS7 has dnssec-validation set to "yes" and it also includes managed-keys as well. Do those managed-keys get updated automatically? It is not clear from reading https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-validation-explained that these managed-keys will get updated automatically if dnssec-validation is not set to "auto".

[root@centos-linux ~]# named -v
BIND 9.9.4-RedHat-9.9.4-73.el7_6 (Extended Support Version)
[root@centos-linux ~]# grep named.root.key /etc/named.conf
include "/etc/named.root.key";
[root@centos-linux ~]# cat /etc/named.root.key
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-validation auto vs yes

Evan Hunt
On Wed, Jun 12, 2019 at 11:40:27PM +0000, Shawn Zhou via bind-users wrote:
> The default BIND9 installation for CentOS7 has dnssec-validation set to
> "yes" and it also includes managed-keys as well. Do those managed-keys
> get updated automatically?

Yes, if the "managed-keys" statement is in named.conf (or included in
it via an "include" statement) then the keys will be updated automatically.
Based on what you copy-pasted, that appears to be the case.

"dnssec-validation auto" causes named to use its built-in key for the root
zone, so you don't have to put your own "managed-keys" statement into
named.conf, but otherwise it's the same as "dnssec-validation yes".

(BTW, a note in passing: we're changing the command from "managed-keys" to
"dnssec-keys" over the next few years. The new syntax will be available in
BIND 9.15.1, which should be out next week; the old syntax will be
phased out later.)

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-validation auto vs yes

Bind-Users forum mailing list
Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead.



On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt <[hidden email]> wrote:


On Wed, Jun 12, 2019 at 11:40:27PM +0000, Shawn Zhou via bind-users wrote:

> The default BIND9 installation for CentOS7 has dnssec-validation set to
> "yes" and it also includes managed-keys as well. Do those managed-keys
> get updated automatically?


Yes, if the "managed-keys" statement is in named.conf (or included in
it via an "include" statement) then the keys will be updated automatically.
Based on what you copy-pasted, that appears to be the case.

"dnssec-validation auto" causes named to use its built-in key for the root
zone, so you don't have to put your own "managed-keys" statement into
named.conf, but otherwise it's the same as "dnssec-validation yes".

(BTW, a note in passing: we're changing the command from "managed-keys" to
"dnssec-keys" over the next few years. The new syntax will be available in
BIND 9.15.1, which should be out next week; the old syntax will be
phased out later.)

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-validation auto vs yes

Tony Finch
Shawn Zhou via bind-users <[hidden email]> wrote:

>  Thanks Even. Sounds like "dnssec-validation auto" is a more
>  future-proof option for what want it. I will use that instead.

My recommendation is to avoid configuring or installing root trust
anchors, and let named handle all that itself. In BIND 9.14 and later
you don't need any configuration for working DNSSEC validation :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Forties, Cromarty, Forth: Cyclonic 5 to 7, occasionally gale 8 at first in
Forth, becoming south or southeast 5 or 6 later. Moderate or rough. Rain, fog
patches except in Forth. Moderate, occasionally very poor except in Forth.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-validation auto vs yes

Warren Kumari
In reply to this post by Evan Hunt
On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt <[hidden email]> wrote:
>
> On Wed, Jun 12, 2019 at 11:40:27PM +0000, Shawn Zhou via bind-users wrote:
> > The default BIND9 installation for CentOS7 has dnssec-validation set to
> > "yes" and it also includes managed-keys as well. Do those managed-keys
> > get updated automatically?
>
> Yes, if the "managed-keys" statement is in named.conf (or included in
> it via an "include" statement) then the keys will be updated automatically.
... assuming that named can write to the directory. This is definitely
worth double-checking.

W

> Based on what you copy-pasted, that appears to be the case.
>
> "dnssec-validation auto" causes named to use its built-in key for the root
> zone, so you don't have to put your own "managed-keys" statement into
> named.conf, but otherwise it's the same as "dnssec-validation yes".
>
> (BTW, a note in passing: we're changing the command from "managed-keys" to
> "dnssec-keys" over the next few years. The new syntax will be available in
> BIND 9.15.1, which should be out next week; the old syntax will be
> phased out later.)
>
> --
> Evan Hunt -- [hidden email]
> Internet Systems Consortium, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users