9.7.0-P1 managed-keys.bind issues

[Mark Watts]

I'm trying to setup a new 9.7.0-P1 server in order to (initially) do
DNSSEC validation lookups.
I'm using the Fedora 13 SRPM, recompiled on CentOS 5.4. SELinux is Off
currently.

when I add the following to my options {} section, I get some log
messages I don't understand...

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: loading from master file dynamic/managed-keys.bind failed: file not found
Apr 14 12:06:34 dns01 named[4911]: dynamic/managed-keys.bind.jnl: create: file not found
Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: sync_keyzone:dns_journal_open -> unexpected error
Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: loaded serial 0
Apr 14 12:06:35 dns01 named[4911]: zone managed-keys.bind/IN/_meta: Unable to fetch DNSKEY set 'dlv.isc.org': failure
Apr 14 12:06:35 dns01 named[4911]: dynamic/managed-keys.bind.jnl: create: file not found
Apr 14 12:06:35 dns01 named[4911]: zone managed-keys.bind/IN/_meta: keyfetch_done:dns_journal_open -> unexpected error

I can explain the "Unable to fetch DNSKEY" message; the server currently
has no direct Internet access.

What do the other messages mean, and how can I resolve them?

Mark.

--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg

[Mark Watts]

On Wed, 2010-04-14 at 13:10 +0100, Mark Watts wrote:
> I'm trying to setup a new 9.7.0-P1 server in order to (initially) do
> DNSSEC validation lookups.
> I'm using the Fedora 13 SRPM, recompiled on CentOS 5.4. SELinux is Off
> currently.
>
> when I add the following to my options {} section, I get some log
> messages I don't understand...
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: loading from master file dynamic/managed-keys.bind failed: file not found
> Apr 14 12:06:34 dns01 named[4911]: dynamic/managed-keys.bind.jnl: create: file not found
> Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: sync_keyzone:dns_journal_open -> unexpected error
> Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: loaded serial 0
> Apr 14 12:06:35 dns01 named[4911]: zone managed-keys.bind/IN/_meta: Unable to fetch DNSKEY set 'dlv.isc.org': failure
> Apr 14 12:06:35 dns01 named[4911]: dynamic/managed-keys.bind.jnl: create: file not found
> Apr 14 12:06:35 dns01 named[4911]: zone managed-keys.bind/IN/_meta: keyfetch_done:dns_journal_open -> unexpected error
>
> I can explain the "Unable to fetch DNSKEY" message; the server currently
> has no direct Internet access.
>
> What do the other messages mean, and how can I resolve them?
>
> Mark.

It would appear that these are all related. Allowing outbound DNS
queries fixed these messages.

[Hauke Lampe]

Mark Watts wrote:

> Apr 14 12:06:34 dns01 named[4911]: zone managed-keys.bind/IN/_meta: sync_keyzone:dns_journal_open -> unexpected error

Does named have permission to create files in the directory specified by
"directory" in the options block?

BIND uses an internal dynamic zone for RFC5011-updated trust anchors and
needs to write zone and journal files in its work directory.

Hauke.

[Evan Hunt]

> It would appear that these are all related. Allowing outbound DNS
> queries fixed these messages.

Thanks for the report.

If you didn't want to allow outbound DNS queries, then just turn off
dnssec-lookaside. What it's doing is trying to refresh the DNSSEC key
for dlv.isc.org, but if you weren't going to be supporting outbound
queries anyway, there's no need for it to do this.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.