Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Tony Finch Newsgroups: comp.protocols.dns.bind Subject: Re: $INCLUDE Kexamle.com.+007... Date: Sun, 5 Jul 2020 17:12:04 +0100 Lines: 61 Approved: bind-users@lists.isc.org Message-ID: References: <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-273194879-1593965004=:15871" X-Trace: usenet.stanford.edu 1593965535 17605 149.20.1.60 (5 Jul 2020 16:12:15 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users To: "@lbutlr" Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus In-Reply-To: <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) Content-ID: X-Spam-Status: No, score=-1.3 required=5.0 tests=KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, SPF_NONE autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: X-Mailman-Original-References: <84EA4A1E-A47D-4CB2-8FEB-B780B9A09C94@kreme.com> Xref: csiph.com comp.protocols.dns.bind:15897 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-273194879-1593965004=:15871 Content-Type: text/plain; CHARSET=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: @lbutlr wrote: > When a domain configuration file contains an include line for the key, > where is that include looking for the key file? =2E.. good question, I have avoided having to find that out ... > I'm in a situation where the keys seems to work fine for updating > DNSSEC, but nsdiff complains the key file is not found. Well, nsdiff uses named-compilezone to canonicalize zone files, and the named-compilezone manual lists a couple of options that affect $INCLUDE: -t directory Chroot to directory so that include directives in the configu= ra=E2=80=90 tion file are processed as if run by a similarly chrooted nam= ed. -w directory chdir to directory so that relative filenames in master f= ile $INCLUDE directives work. This is similar to the direct= ory clause in named.conf. So it sounds like "the current directory" is the answer to your question. However, I don't think you need to $INCLUDE key files. I think maybe that used to be a thing when signing a zone had to involve dnssec-signzone? But nowadays even dnssec-signzone will automatically insert public keys into the signed zone. When you're doing automatic signing with named (which you have to do if you are using nsupdate to alter the zone), the keys are included in the signed zone based on their timing metatata, which you can set with dnssec-settime. [There's also the new key policy stuff which I have not yet tried out properly.] So the actual answer is, you don't explicitly $INCLUDE the keys in the zone, so questions about current directories do not arise. Does that make sense? Tony. --=20 f.anthony.n.finch http://dotat.at/ Lough Foyle to Carlingford Lough: Southwest veering west, 6 to gale 8, then veering northwest 4 to 6 later. Moderate or rough, becoming slight or moder= ate south of rathlin island. Showers,thundery at first. Good, occasionally moderate. --1870870841-273194879-1593965004=:15871--