Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15897
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Tony Finch <dot@dotat.at> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: $INCLUDE Kexamle.com.+007... |
| Date | Sun, 5 Jul 2020 17:12:04 +0100 |
| Lines | 61 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.605.1593965502.942.bind-users@lists.isc.org> (permalink) |
| References | <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> <alpine.DEB.2.20.2007051657510.15871@grey.csi.cam.ac.uk> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/mixed; BOUNDARY="1870870841-273194879-1593965004=:15871" |
| X-Trace | usenet.stanford.edu 1593965535 17605 149.20.1.60 (5 Jul 2020 16:12:15 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | bind-users <bind-users@lists.isc.org> |
| To | "@lbutlr" <kremels@kreme.com> |
| Return-Path | <dot@dotat.at> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| X-Cam-AntiVirus | no malware found |
| X-Cam-ScannerInfo | http://help.uis.cam.ac.uk/email-scanner-virus |
| In-Reply-To | <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> |
| User-Agent | Alpine 2.20 (DEB 67 2015-01-07) |
| Content-ID | <alpine.DEB.2.20.2007051703290.15871@grey.csi.cam.ac.uk> |
| X-Spam-Status | No, score=-1.3 required=5.0 tests=KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, SPF_NONE autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <alpine.DEB.2.20.2007051657510.15871@grey.csi.cam.ac.uk> |
| X-Mailman-Original-References | <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> |
| Xref | csiph.com comp.protocols.dns.bind:15897 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
@lbutlr <kremels@kreme.com> wrote:
> When a domain configuration file contains an include line for the key,
> where is that include looking for the key file?
... good question, I have avoided having to find that out ...
> I'm in a situation where the keys seems to work fine for updating
> DNSSEC, but nsdiff complains the key file is not found.
Well, nsdiff uses named-compilezone to canonicalize zone files, and the
named-compilezone manual lists a couple of options that affect $INCLUDE:
-t directory
Chroot to directory so that include directives in the configura‐
tion file are processed as if run by a similarly chrooted named.
-w directory
chdir to directory so that relative filenames in master file
$INCLUDE directives work. This is similar to the directory
clause in named.conf.
So it sounds like "the current directory" is the answer to your question.
However, I don't think you need to $INCLUDE key files. I think maybe that
used to be a thing when signing a zone had to involve dnssec-signzone? But
nowadays even dnssec-signzone will automatically insert public keys into
the signed zone.
When you're doing automatic signing with named (which you have to do if
you are using nsupdate to alter the zone), the keys are included in the
signed zone based on their timing metatata, which you can set with
dnssec-settime. [There's also the new key policy stuff which I have not
yet tried out properly.]
So the actual answer is, you don't explicitly $INCLUDE the keys in the
zone, so questions about current directories do not arise.
Does that make sense?
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Lough Foyle to Carlingford Lough: Southwest veering west, 6 to gale 8, then
veering northwest 4 to 6 later. Moderate or rough, becoming slight or moderate
south of rathlin island. Showers,thundery at first. Good, occasionally
moderate.
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Re: $INCLUDE Kexamle.com.+007... Tony Finch <dot@dotat.at> - 2020-07-05 17:12 +0100
csiph-web