From e53217f503807b43a1eac04dc4d3ce97f91058b7 Mon Sep 17 00:00:00 2001 From: Alex Dehnert Date: Wed, 12 Jun 2019 23:45:45 -0400 Subject: [PATCH] Config changes from 18.04 upgrade? --- bind.keys | 55 +++++++++++++++------------------------------- named.conf.options | 14 +++++++----- 2 files changed, 26 insertions(+), 43 deletions(-) diff --git a/bind.keys b/bind.keys index 80523ad..5e5a32b 100644 --- a/bind.keys +++ b/bind.keys @@ -1,46 +1,26 @@ -/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */ # The bind.keys file is used to override the built-in DNSSEC trust anchors -# which are included as part of BIND 9. As of the current release, the only -# trust anchors it contains are those for the DNS root zone ("."), and for -# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors -# for any other zones MUST be configured elsewhere; if they are configured -# here, they will not be recognized or used by named. +# which are included as part of BIND 9. The only trust anchors it contains +# are for the DNS root zone ("."). Trust anchors for any other zones MUST +# be configured elsewhere; if they are configured here, they will not be +# recognized or used by named. # # The built-in trust anchors are provided for convenience of configuration. # They are not activated within named.conf unless specifically switched on. -# To use the built-in root key, set "dnssec-validation auto;" in -# named.conf options. To use the built-in DLV key, set -# "dnssec-lookaside auto;". Without these options being set, -# the keys in this file are ignored. +# To use the built-in key, use "dnssec-validation auto;" in the +# named.conf options. Without this option being set, the keys in this +# file are ignored. # # This file is NOT expected to be user-configured. # -# These keys are current as of Feburary 2017. If any key fails to +# These keys are current as of October 2017. If any key fails to # initialize correctly, it may have expired. In that event you should # replace this file with a current version. The latest version of # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml +# for current trust anchor information for the root zone. managed-keys { - # ISC DLV: See https://www.isc.org/solutions/dlv for details. - # - # NOTE: The ISC DLV zone is being phased out as of February 2017; - # the key will remain in place but the zone will be otherwise empty. - # Configuring "dnssec-lookaside auto;" to activate this key is - # harmless, but is no longer useful and is not recommended. - dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 - brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ - 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 - ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk - Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM - QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt - TDN0YUuWrBNh"; - - # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml - # for current trust anchor information. - # - # These keys are activated by setting "dnssec-validation auto;" - # in named.conf. - # # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from @@ -53,12 +33,13 @@ managed-keys { Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; - # This key (20326) is to be published in the root zone in 2017. - # Servers which were already using the old key should roll to the - # new # one seamlessly. Servers being set up for the first time - # can use either of the keys in this file to verify the root keys - # for the first time; thereafter the keys in the zone will be - # trusted and maintained automatically. + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF diff --git a/named.conf.options b/named.conf.options index 31f56b2..0796e2e 100644 --- a/named.conf.options +++ b/named.conf.options @@ -2,12 +2,8 @@ options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want - // to talk to, you might need to uncomment the query-source - // directive below. Previous versions of BIND always asked - // questions using port 53, but BIND 8.1 and later use an unprivileged - // port by default. - - // query-source address * port 53; + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. @@ -23,6 +19,12 @@ options { 18.72.0.3; }; + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + // ALEX DEHNERT: copied from old arctic version on 2008-12-19 //ALEX DEHNERT: Security-related stuff: // Secure(ish): -- 2.34.1