1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.DNS.BIND

  • /etc/bind.keys in a chrooted environment

    From Josef Moellers@21:1/5 to All on Wed Jul 22 15:06:41 2020
    Hi,
    named complains about the missing file /etc/bind.keys if run chrooted:
    unable to open '/etc/bind.keys' using built-in keys

    What is the preferred way around this? Add "/etc/bind-keys" to NAMED_CONF_INCLUDE_FILES?

    Thanks,

    Josef

    --
    SUSE Software Solutions Germany GmbH
    Maxfeldstr. 5
    90409 Nürnberg
    Germany

    (HRB 36809, AG Nürnberg)
    Geschäftsführer: Felix Imendörffer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Josef Moellers@21:1/5 to Anand Buddhdev on Wed Jul 22 15:30:28 2020
    To: bind-users@lists.isc.org

    On 22.07.20 15:28, Anand Buddhdev wrote:
    On 22/07/2020 15:06, Josef Moellers wrote:

    Hi Josef,

    named complains about the missing file /etc/bind.keys if run chrooted:
    unable to open '/etc/bind.keys' using built-in keys

    What is the preferred way around this? Add "/etc/bind-keys" to
    NAMED_CONF_INCLUDE_FILES?

    Or just ignore the warning, and let BIND use its built-in keys.

    If /etc/bind.keys contains some additional keys, this will not work ;-)

    Josef
    --
    SUSE Software Solutions Germany GmbH
    Maxfeldstr. 5
    90409 Nürnberg
    Germany

    (HRB 36809, AG Nürnberg)
    Geschäftsführer: Felix Imendörffer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anand Buddhdev@21:1/5 to Josef Moellers on Wed Jul 22 15:28:39 2020
    To: bind-users@lists.isc.org

    On 22/07/2020 15:06, Josef Moellers wrote:

    Hi Josef,

    named complains about the missing file /etc/bind.keys if run chrooted:
    unable to open '/etc/bind.keys' using built-in keys

    What is the preferred way around this? Add "/etc/bind-keys" to NAMED_CONF_INCLUDE_FILES?

    Or just ignore the warning, and let BIND use its built-in keys.

    Regards,
    Anand

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anand Buddhdev@21:1/5 to Josef Moellers on Wed Jul 22 17:05:14 2020
    To: bind-users@lists.isc.org

    On 22/07/2020 16:51, Josef Moellers wrote:

    It turns out that it is mainly the warning the partner is irritade about.

    So, let me put the question the other way round: what would happen if we *always* copied /etc/bind.keys to the chroot environment? If there would
    be no harm, I could easily add that to eg /etc/init.d/named or the
    systemd service file. But the question now is: does it do any harm?

    There is no harm in copying the file into the chroot. It will get rid of
    the warning.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Josef Moellers@21:1/5 to Anand Buddhdev on Wed Jul 22 16:51:57 2020
    To: bind-users@lists.isc.org

    On 22.07.20 16:41, Anand Buddhdev wrote:
    On 22/07/2020 15:30, Josef Moellers wrote:

    Or just ignore the warning, and let BIND use its built-in keys.

    If /etc/bind.keys contains some additional keys, this will not work ;-)

    Sure, but what additional keys do you expect this file to contain? Are
    you serving an alternate signed root zone?

    I'm not really sure what the partner wants to add, I have the slight
    feeling that the remark about manually added keys was made by a third
    person assuming ...

    It turns out that it is mainly the warning the partner is irritade about.

    So, let me put the question the other way round: what would happen if we *always* copied /etc/bind.keys to the chroot environment? If there would
    be no harm, I could easily add that to eg /etc/init.d/named or the
    systemd service file. But the question now is: does it do any harm?

    Thanks,

    Josef
    --
    SUSE Software Solutions Germany GmbH
    Maxfeldstr. 5
    90409 Nürnberg
    Germany

    (HRB 36809, AG Nürnberg)
    Geschäftsführer: Felix Imendörffer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anand Buddhdev@21:1/5 to Josef Moellers on Wed Jul 22 16:41:38 2020
    To: bind-users@lists.isc.org

    On 22/07/2020 15:30, Josef Moellers wrote:

    Or just ignore the warning, and let BIND use its built-in keys.

    If /etc/bind.keys contains some additional keys, this will not work ;-)

    Sure, but what additional keys do you expect this file to contain? Are
    you serving an alternate signed root zone?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From tale@21:1/5 to Anand Buddhdev on Wed Jul 22 11:34:39 2020
    Copy: jmoellers@suse.de (Josef Moellers)
    Copy: bind-users@lists.isc.org (bind-users)

    On Wed, Jul 22, 2020 at 11:05 AM Anand Buddhdev <anandb@ripe.net> wrote:
    There is no harm in copying the file into the chroot. It will get rid of
    the warning.

    With the caveat that you have to be sure that if you keep the original
    copy outside of the chroot, you have to be sure updates get reflected
    inside the chroot.

    NAMED_CONF_INCLUDE_FILES mentioned in the OP seems to be a SuSE-ism
    and I didn't dig into whatever bearing it might have for maintenance
    of the chroot.
    --
    tale

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tony Finch@21:1/5 to Anand Buddhdev on Wed Jul 22 17:05:51 2020
    Copy: jmoellers@suse.de (Josef Moellers)
    Copy: bind-users@lists.isc.org

    Anand Buddhdev <anandb@ripe.net> wrote:
    On 22/07/2020 15:06, Josef Moellers wrote:

    named complains about the missing file /etc/bind.keys if run chrooted: unable to open '/etc/bind.keys' using built-in keys

    What is the preferred way around this? Add "/etc/bind-keys" to NAMED_CONF_INCLUDE_FILES?

    Or just ignore the warning, and let BIND use its built-in keys.

    Yes, I recommend this.

    Tony.
    --
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Mull of Kintyre to Ardnamurchan Point: Southwest veering west 3 or 4, occasionally 5 at first. Slight or moderate. Occasional rain, fog patches. Moderate or poor, occasionally very poor.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Josef Moellers@21:1/5 to Anand Buddhdev on Wed Jul 22 18:37:42 2020
    To: bind-users@lists.isc.org

    On 22.07.20 17:05, Anand Buddhdev wrote:
    On 22/07/2020 16:51, Josef Moellers wrote:

    It turns out that it is mainly the warning the partner is irritade about.

    So, let me put the question the other way round: what would happen if we
    *always* copied /etc/bind.keys to the chroot environment? If there would
    be no harm, I could easily add that to eg /etc/init.d/named or the
    systemd service file. But the question now is: does it do any harm?

    There is no harm in copying the file into the chroot. It will get rid of
    the warning.

    Thanks and ... stay healthy!

    Josef
    --
    SUSE Software Solutions Germany GmbH
    Maxfeldstr. 5
    90409 Nürnberg
    Germany

    (HRB 36809, AG Nürnberg)
    Geschäftsführer: Felix Imendörffer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Evan Hunt@21:1/5 to Josef Moellers on Thu Jul 23 04:23:17 2020
    Copy: anandb@ripe.net (Anand Buddhdev)
    Copy: bind-users@lists.isc.org

    On Wed, Jul 22, 2020 at 03:30:28PM +0200, Josef Moellers wrote:
    If /etc/bind.keys contains some additional keys, this will not work ;-)

    I see the question has already been answered, but I thought it might be
    worth mentioning that /etc/bind.keys can *only* be used for the root zone;
    any other domains listed there will be ignored. So, this would already not work.

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)