what is causing this warning in /var/log/messages?

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Aug 14 11:18:21 UTC 2011

On 14/08/2011 00:45, Conrad J. Sabatier wrote:
> Did you every get any response to this question?  I'm seeing something
> very similar after just setting up named yesterday:
> Aug 13 18:06:39 serene named[1105]: managed-keys-zone ./IN: loading
> from master file managed-keys.bind failed: file not found
> I'm just trying to setup a simple caching nameserver (slave), using the
> auto_forward options.

That's a different problem to the one Gary had.  It seems you have
options { ... dnssec-validation = yes; ... };  in your named.conf (ie.
check RRSIG data and ensure that there is a chain of trust from the root
or whatever trust anchor you prefer.  This is a good thing and really
should be enabled in all recursive nameservers nowadays.)

In order to do that, you need to explicitly specify your trusted key
in named.conf -- or preferably an initial key, as named can track from
that key to the currently active ones automatically.  There are two
important trust anchors:  the dlv.isc.org key, and the root key.  The
DLV key is built into the Bind sources -- all you need to do is add:

   options { ... dnssec-lookaside auto; ... };

If you are really paranoid, then you can verify the PGP signature on,
and then add the DLV KSK key to your named.conf as described here:


The root key is different.  In this case, to verify the key, pull the
key data from the DNS and convert it into a DS (domain signing) record.
Then compare that to the signed data published by IANA.  Once you're
satisfied, then add a managed-keys statement to named.conf like so:

managed-keys {
    // The DNS root key -- see http://data.iana.org/root-anchors/
    // Compare fingerprints with the key published in the DNS by:
    //    dig . dnskey | grep -w 257 > root.key
    //    dnssec-dsfromkey -2 root.key
    // Verify DS record against the IANA root-anchors data using PGP.

    . initial-key 257 3 8

Docco on managed-keys here:


Note that DNSSEC is one area that has seen a great deal of development
over the last several releases of BIND.  It definitely works best in the
latest version, bind-9.8.x, although any of the versions bundled with
supported versions of FreeBSD will function correctly.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110814/01b77a23/signature.pgp

More information about the freebsd-questions mailing list