• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

[Gelöst] DNSSEC managed-keys-zone

P

padersuse

Hallo,
ich habe nach Opensuse Leap 15.2 die Version 15.3 neu installiert. Bei der Definition der Zonen für den eigenen Server, der ja selbst hinter einem Router steht, habe ich für meinen Server eine Zone definiert und unter /etc/named.d/ als Inhalt einer conf-Datei abgelegt. Auf diese Datei verweist der Inhalt der Datei
/etc/named/named.conf.include
Zum Vergrößern anklicken....
.

im Journal des Dienstes
named
Zum Vergrößern anklicken....
sehe ich folgende Einträge, die ich als Fehler deute :
Code: 
dns_rdata_fromtext: /var/lib/named/dyn//managed-keys.bind:10: near eol: unexpected end of input
Feb 26 06:46:09 ketlin1 named[3663]: managed-keys-zone: loading from master file /var/lib/named/dyn//managed-keys.bind failed: unexpected end of input

der komplette Inhalt seit dem Start des Dienstes
named
Zum Vergrößern anklicken....
sieht so aus :

Code: 
Feb 26 06:46:09 ketlin1 named[1817]: received control channel command 'stop'
Feb 26 06:46:09 ketlin1 named[1817]: no longer listening on 127.0.0.1#53
Feb 26 06:46:09 ketlin1 named[1817]: no longer listening on 192.168.1.60#53
Feb 26 06:46:09 ketlin1 named.init[3605]: Shutting down name server BIND
Feb 26 06:46:09 ketlin1 named[1817]: shutting down: flushing changes
Feb 26 06:46:09 ketlin1 named[1817]: stopping command channel on 127.0.0.1#953
Feb 26 06:46:09 ketlin1 named[1817]: exiting
Feb 26 06:46:09 ketlin1 systemd[1]: named.service: Succeeded.
Feb 26 06:46:09 ketlin1 systemd[1]: Stopped Berkeley Internet Name Domain (DNS).
Feb 26 06:46:09 ketlin1 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Feb 26 06:46:09 ketlin1 named[3663]: starting BIND 9.16.6 (Stable Release) <id:25846cf>
Feb 26 06:46:09 ketlin1 named[3663]: running on Linux x86_64 5.3.18-150300.59.49-default #1 SMP Mon Feb 7 14:40:20 UTC 2022 (77d9d02)
Feb 26 06:46:09 ketlin1 named[3663]: built with '--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=>
Feb 26 06:46:09 ketlin1 named[3663]: running as: named -4 -t /var/lib/named -u named
Feb 26 06:46:09 ketlin1 named[3663]: compiled by GCC 7.5.0
Feb 26 06:46:09 ketlin1 named[3663]: compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
Feb 26 06:46:09 ketlin1 named[3663]: linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
Feb 26 06:46:09 ketlin1 named[3663]: compiled with libxml2 version: 2.9.7
Feb 26 06:46:09 ketlin1 named[3663]: linked to libxml2 version: 20907
Feb 26 06:46:09 ketlin1 named[3663]: compiled with json-c version: 0.13
Feb 26 06:46:09 ketlin1 named[3663]: linked to json-c version: 0.13
Feb 26 06:46:09 ketlin1 named[3663]: compiled with zlib version: 1.2.11
Feb 26 06:46:09 ketlin1 named[3663]: linked to zlib version: 1.2.11
Feb 26 06:46:09 ketlin1 named[3663]: ----------------------------------------------------
Feb 26 06:46:09 ketlin1 named[3663]: BIND 9 is maintained by Internet Systems Consortium,
Feb 26 06:46:09 ketlin1 named[3663]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Feb 26 06:46:09 ketlin1 named[3663]: corporation.  Support and training for BIND 9 are
Feb 26 06:46:09 ketlin1 named[3663]: available at https://www.isc.org/support
Feb 26 06:46:09 ketlin1 named[3663]: ----------------------------------------------------
Feb 26 06:46:09 ketlin1 named[3663]: adjusted limit on open files from 524288 to 1048576
Feb 26 06:46:09 ketlin1 named[3663]: found 4 CPUs, using 4 worker threads
Feb 26 06:46:09 ketlin1 named[3663]: using 4 UDP listeners per interface
Feb 26 06:46:09 ketlin1 named[3663]: using up to 21000 sockets
Feb 26 06:46:09 ketlin1 named[3663]: loading configuration from '/etc/named.conf'
Feb 26 06:46:09 ketlin1 named[3663]: reading built-in trust anchors from file '/etc/bind.keys'
Feb 26 06:46:09 ketlin1 named[3663]: using default UDP/IPv4 port range: [1024, 65535]
Feb 26 06:46:09 ketlin1 named[3663]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 26 06:46:09 ketlin1 named[3663]: listening on IPv4 interface eth0, 192.168.1.60#53
Feb 26 06:46:09 ketlin1 named[3663]: generating session key for dynamic DNS
Feb 26 06:46:09 ketlin1 named[3663]: sizing zone task pool based on 6 zones
Feb 26 06:46:09 ketlin1 named[3663]: none:98: 'max-cache-size 90%' - setting to 14292MB (out of 15880MB)
Feb 26 06:46:09 ketlin1 named[3663]: obtaining root key for view _default from '/etc/bind.keys'
Feb 26 06:46:09 ketlin1 named[3663]: set up managed keys zone for view _default, file '/var/lib/named/dyn//managed-keys.bind'
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 10.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 16.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 17.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 18.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 19.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 20.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 21.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 22.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 23.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 24.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 25.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 26.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 27.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 28.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 29.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 30.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 31.172.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 168.192.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 64.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 65.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 66.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 67.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 68.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 69.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 70.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 71.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 72.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 73.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 74.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 75.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 76.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 77.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 78.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 79.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 80.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 81.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 82.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 83.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 84.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 85.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 86.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 87.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 88.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 89.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 90.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 91.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 92.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 93.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 94.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 95.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 96.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 97.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 98.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 99.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 100.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 101.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 102.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 103.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 104.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 105.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 106.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 107.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 108.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 109.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 110.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 111.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 112.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 113.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 114.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 115.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 116.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 117.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 118.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 119.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 120.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 121.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 122.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 123.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 124.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 125.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 126.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 127.100.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 0.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 127.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 254.169.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: D.F.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 8.E.F.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 9.E.F.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: A.E.F.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: B.E.F.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: EMPTY.AS112.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: automatic empty zone: HOME.ARPA
Feb 26 06:46:09 ketlin1 named[3663]: none:98: 'max-cache-size 90%' - setting to 14292MB (out of 15880MB)
Feb 26 06:46:09 ketlin1 named[3663]: configuring command channel from '/etc/rndc.key'
Feb 26 06:46:09 ketlin1 named[3663]: command channel listening on 127.0.0.1#953
Feb 26 06:46:09 ketlin1 named[3663]: dns_rdata_fromtext: /var/lib/named/dyn//managed-keys.bind:10: near eol: unexpected end of input
Feb 26 06:46:09 ketlin1 named[3663]: managed-keys-zone: loading from master file /var/lib/named/dyn//managed-keys.bind failed: unexpected end of input
Feb 26 06:46:09 ketlin1 named[3663]: managed-keys-zone: loaded serial 8
Feb 26 06:46:09 ketlin1 named[3663]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2022250201
Feb 26 06:46:09 ketlin1 named[3663]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Feb 26 06:46:09 ketlin1 named[3663]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42
Feb 26 06:46:09 ketlin1 named[3663]: zone apopader.site/IN: loaded serial 2022250201
Feb 26 06:46:09 ketlin1 named[3663]: zone localhost/IN: loaded serial 42
Feb 26 06:46:09 ketlin1 named[3663]: all zones loaded
Feb 26 06:46:09 ketlin1 named[3663]: running
Feb 26 06:46:09 ketlin1 named.init[3613]: Starting name server BIND
Feb 26 06:46:09 ketlin1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Feb 26 06:46:10 ketlin1 named[3663]: managed-keys-zone: DNSKEY set for zone '.' could not be verified with current keys
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.5.5.241#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.58.128.30#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 202.12.27.33#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 198.41.0.4#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.33.4.12#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 199.7.91.13#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 199.9.14.201#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.112.36.4#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.203.230.10#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 192.36.148.17#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 193.0.14.129#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 198.97.190.53#53
Feb 26 06:46:10 ketlin1 named[3663]: validating ./NS: no valid signature found
Feb 26 06:46:10 ketlin1 named[3663]: no valid RRSIG resolving './NS/IN': 199.7.83.42#53
Feb 26 06:46:10 ketlin1 named[3663]: resolver priming query complete
Feb 26 06:46:12 ketlin1 named[3663]:     validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: broken trust chain resolving '_.opensuse.pool.ntp.org/A/IN': 147.75.42.129#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 199.7.91.13#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.203.230.10#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.33.4.12#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 198.97.190.53#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.58.128.30#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 198.41.0.4#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 199.7.83.42#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.36.148.17#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.5.5.241#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 202.12.27.33#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 199.9.14.201#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 192.112.36.4#53
Feb 26 06:46:12 ketlin1 named[3663]: validating org/DS: no valid signature found
Feb 26 06:46:12 ketlin1 named[3663]: no valid RRSIG resolving 'org/DS/IN': 193.0.14.129#53
Feb 26 06:46:12 ketlin1 named[3663]: broken trust chain resolving '2.opensuse.pool.ntp.org/AAAA/IN': 139.178.68.139#53
Feb 26 06:46:12 ketlin1 named[3663]: broken trust chain resolving '2.opensuse.pool.ntp.org/A/IN': 139.178.68.139#53
Feb 26 06:46:27 ketlin1 named[3663]:     validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: broken trust chain resolving '_.cdn.mozilla.net/A/IN': 96.7.49.66#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.33.4.12#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 199.7.91.13#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.203.230.10#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 198.97.190.53#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.58.128.30#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 198.41.0.4#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 199.7.83.42#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.36.148.17#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.5.5.241#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 193.0.14.129#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 202.12.27.33#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 199.9.14.201#53
Feb 26 06:46:27 ketlin1 named[3663]: validating net/DS: no valid signature found
Feb 26 06:46:27 ketlin1 named[3663]: no valid RRSIG resolving 'net/DS/IN': 192.112.36.4#53
Feb 26 06:46:27 ketlin1 named[3663]: broken trust chain resolving 'img-getpocket.cdn.mozilla.net/A/IN': 193.108.91.240#53
Feb 26 06:46:27 ketlin1 named[3663]:   validating pool.ntp.org/SOA: bad cache hit (org/DS)
Feb 26 06:46:27 ketlin1 named[3663]: broken trust chain resolving '_.suse.pool.ntp.org/A/IN': 212.25.19.23#53
Feb 26 06:46:28 ketlin1 named[3663]: validating 2.suse.pool.ntp.org/A: bad cache hit (org/DS)
Feb 26 06:46:28 ketlin1 named[3663]: broken trust chain resolving '2.suse.pool.ntp.org/A/IN': 160.119.216.201#53
Feb 26 06:46:28 ketlin1 named[3663]: validating 2.suse.pool.ntp.org/AAAA: bad cache hit (org/DS)
Feb 26 06:46:28 ketlin1 named[3663]: broken trust chain resolving '2.suse.pool.ntp.org/AAAA/IN': 160.119.216.201#53
Feb 26 06:46:28 ketlin1 named[3663]: validating www.mozilla.org/CNAME: bad cache hit (org/DS)
Feb 26 06:46:28 ketlin1 named[3663]: broken trust chain resolving 'www.mozilla.org/A/IN': 184.85.248.65#53
Feb 26 06:46:28 ketlin1 named[3663]:   validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: broken trust chain resolving 'www.facebook.com/A/IN': 185.89.219.12#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.203.230.10#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.33.4.12#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 199.7.91.13#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 198.97.190.53#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.58.128.30#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 198.41.0.4#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 199.7.83.42#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.5.5.241#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 193.0.14.129#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 199.9.14.201#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 202.12.27.33#53
Feb 26 06:46:28 ketlin1 named[3663]: validating com/DS: no valid signature found
Feb 26 06:46:28 ketlin1 named[3663]: no valid RRSIG resolving 'com/DS/IN': 192.112.36.4#53
Feb 26 06:46:28 ketlin1 named[3663]: broken trust chain resolving 'detectportal.firefox.com/A/IN': 84.53.139.64#53

Was habe ich falsch gemacht ?

Gruß Padersuse
 
OP
P

padersuse

Hallo marce,
könnte die Fehlermeldung etwas mit dem
Code: 
rndc-key
zu tun haben ?
Ich bekomme beim Refresh-Befehl für
Code: 
rndc
die Meldung

Code: 
rndc refresh
rndc: 'refresh' failed: unexpected end of input
?
Gruß Padersuse
 
M

marce

Könnte, ja. Meist sind Ausgaben wie "Fehler", "Error", "Failed" oder ähnliches durchaus ein Hinweis darauf, dass da was schief gelaufen ist.

Ob's bei Dir die Ursache ist und generell zur Behebung beiträgt lässt sich Dank der ultrageheimen restlichen Konfig nur vermuten.
 
OP
P

padersuse

Der Inhalt der Datei /etc/named.conf :

Code: 
# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9.  It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.

options {

	# The directory statement defines the name server's working directory

	directory "/var/lib/named";

	# enable DNSSEC validation
	#
	# If BIND logs error messages about the root key being expired, you
	# will need to update your keys. See https://www.isc.org/bind-keys
	#
	# The dnssec-enable option has been obsoleted and no longer has any effect.
 	# DNSSEC responses are always enabled if signatures and other DNSSEC data are present.

	# dnssec-validation yes (default), indicates that a resolver
	# (a caching or caching-only name server) will attempt to validate
	# replies from DNSSEC enabled (signed) zones. To perform this task
	# the server also needs either a valid trusted-keys clause
	# (containing one or more trusted-anchors) or a managed-keys clause.
	# If you have problems with forwarders not returning signed responses,
 	# set this to "no", but be aware that this may create security issues
 	# so better switch to a forwarder which supports DNSSEC!

	#dnssec-validation auto;
	managed-keys-directory "/var/lib/named/dyn/";

	# Write dump and statistics file to the log subdirectory.  The
	# pathenames are relative to the chroot jail.

	dump-file "/var/log/named_dump.db";
	statistics-file "/var/log/named.stats";

	# The forwarders record contains a list of servers to which queries
	# should be forwarded.  Enable this line and modify the IP address to
	# your provider's name server.  Up to three servers may be listed.

	#forwarders { 192.0.2.1; 192.0.2.2; };

	# Enable the next entry to prefer usage of the name server declared in
	# the forwarders section.

	#forward first;

	# The listen-on record contains a list of local network interfaces to
	# listen on.  Optionally the port can be specified.  Default is to
	# listen on all interfaces found on your system.  The default port is
	# 53.

	#listen-on port 53 { 127.0.0.1; };

	# The listen-on-v6 record enables or disables listening on IPv6
	# interfaces.  Allowed values are 'any' and 'none' or a list of
	# addresses.

	listen-on-v6 { any; };

	# The next three statements may be needed if a firewall stands between
	# the local server and the internet.

	#query-source address * port 53;
	#transfer-source * port 53;
	#notify-source * port 53;

	# The allow-query record contains a list of networks or IP addresses
	# to accept and deny queries from. The default is to allow queries
	# from all hosts.

	#allow-query { 127.0.0.1; };

	# If notify is set to yes (default), notify messages are sent to other
	# name servers when the the zone data is changed.  Instead of setting
	# a global 'notify' statement in the 'options' section, a separate
	# 'notify' can be added to each zone definition.

	notify no;

    disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};

# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
#	# Log queries to a file limited to a size of 100 MB.
#	channel query_logging {
#		file "/var/log/named_querylog"
#			versions 3 size 100M;
#		print-time yes;			// timestamp log entries
#	};
#	category queries {
#		query_logging;
#	};
#
#	# Or log this kind alternatively to syslog.
#	channel syslog_queries {
#		syslog user;
#		severity info;
#	};
#	category queries { syslog_queries; };
#
#	# Log general name server errors to syslog.
#	channel syslog_errors {
#		syslog user;
#		severity error;
#	};
#	category default { syslog_errors;  };
#
#	# Don't log lame server messages.
#	category lame-servers { null; };
#};

# The following zone definitions don't need any modification.  The first one
# is the definition of the root name servers.  The second one defines
# localhost while the third defines the reverse lookup for localhost.

zone "." in {
	type hint;
	file "root.hint";
};

zone "localhost" in {
	type master;
	file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
	type master;
	file "127.0.0.zone";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "127.0.0.zone";
};


# Include the meta include file generated by createNamedConfInclude.  This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named

include "/etc/named.conf.include";

# You can insert further zone records for your own domains below or create
# single files in /etc/named.d/ and add the file names to
# NAMED_CONF_INCLUDE_FILES.
# See /usr/share/doc/packages/bind/README.SUSE for more details.

zone "apopader.site" in {
        type master;
        file "apopader.site.zone";
};

zone "1.168.192.in-addr.arpa" in {
        type master;
        file "1.168.192.zone";
};

der Inhalt der Datei /etc/named.conf.include :

Code: 
#
# This file is autogenerated by /usr/share/bind/createNamedConfInclude
# on Fri Feb 25 19:51:12 CET 2022.  Don't edit it manually.
#
# Add additional configuration files which should be added to /etc/named.conf
# by this mechanism to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named.  This
# is possible with the YaST sysconfig or any other editor.
#
# See /usr/share/doc/packages/bind/README.SUSE section
# createNamedConfInclude for more details.
#

#include "/etc/named.d/apopader.site.conf";

Der Inhalt der Datei /etc/rndc.key :

Code: 
key "rndc-key" {
	algorithm hmac-sha256;
	secret "/YMyAAM3gD03bXOTNp+Cqe0sm5gjJONIqNtmz+vsqsOCkukBOAQUJNSvzOcJybZR8K3lSmozBChCl5fO+x7zgg==";
};

der Inhalt der Datei /etc/named.d/rncd-access.conf :

Code: 
# ensure to find the key named 'rndc-key'
include "/etc/rndc.key";

controls {
	# Bind BIND's control channel to localhost and allow access from
	# loopback addresses only.
	# This control channel is used for the init script /etc/init.d/named,
	# rcnamed while called with the option reload or status
	inet 127.0.0.1 allow {
		127.0.0.0/8;
	} keys { rndc-key; };

	# In the following example BIND's control channel in addition is bound
	# to IP address 192.0.2.1 and access is granted to loopback addresses
	# and the 192.0.2.0/24 network.

	#inet 192.0.2.1 allow {
	#	127.0.0.0/8;
	#	192.0.2.0/24;
	#} keys { rndc-key; };
};

der Inhalt der Datei /etc/sysconfig/named :

Code: 
## Type: string
## Default: ""
## ServiceReload: named
#
# All mentioned config files will be copied relativ to /var/lib/named/, when
# 'named' is started in the chroot jail.
#
# /etc/named.conf and /etc/rndc.key are always copied.  Also all files from
# include statements in named.conf.
#
# Filenames can be relative to /etc/named.d/.
#
# Please take care of the order if one file needs a setting of another.
#
# Example: "/etc/named-dhcpd.key ldap.dump rndc-access.conf"
#
# /etc/bind.keys is already included to suppress named warning about missing file.
#NAMED_CONF_INCLUDE_FILES="/etc/bind.keys"
#NAMED_CONF_INCLUDE_FILES="/etc/named.d/apopader.site.conf"

## Type: string
## Default: "createNamedConfInclude"
## ServiceReload: named
#
# Programms to be executed each time the DNS server 'named' is started or
# reloaded.
#
# Filenames can be relative to /usr/share/bind/.
#
NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"
## Path: Network/DNS/Name Server
## Description: Names server settings

## Type: yesno
## Default: yes
## ServiceRestart: lwresd,named
#
# Shall the DNS server 'named' or the LightWeight RESolver Daemon, lwresd run
# in the chroot jail /var/lib/named/?
#
# Each time you start one of the daemons with the init script, /etc/named.conf,
# /etc/named.conf.include, /etc/rndc.key, and all files listed in
# NAMED_CONF_INCLUDE_FILES will be copied relative to /var/lib/named/.
#
# The pid file will be in /var/lib/named/run/named/ and named named.pid
# or lwresd.pid.
#
NAMED_RUN_CHROOTED="yes"

## Type: string
## Default: ""
## ServiceRestart: lwresd,named
#
# Additional arguments when starting the name daemon with the init script
# /etc/init.d/named or rcnamed.
#
# For example "-n 2" to use two CPUs if named is unable to determine the
# number of available CPUs.
#
# See man 8 named for all available commandline options.
#
# "-t /var/lib/named/var" is added if NAMED_RUN_CHROOTED is set to yes.
#
# "-u named" is used in any case by the init script to run the named daemon as
# user 'named' after completing privileged operations.
#
NAMED_ARGS="-4"

der Inhalt der Datei /etc/sysconfig/network/config :

Code: 
## Type:        integer
## Default:     ""
#
# How log to wait for IPv6 autoconfig in ifup when requested with
# the auto6 or +auto6 tag in BOOTPROTO variable.
# When unset, a wicked built-in default defer time (10sec) is used.
#
AUTO6_WAIT_AT_BOOT=""

## Type:        list(all,dns,none,"")
## Default:     ""
#
# Whether to update system (DNS) settings from IPv6 RA when requested
# with the auto6 or +auto6 tag in BOOTPROTO variable.
# Defaults to update if autoconf sysctl (address autoconf) is enabled.
#
AUTO6_UPDATE=""

## Type:        list(auto,yes,no)
## Default:     "auto"
#
# Permits to specify/modify a global ifcfg default. Use with care!
#
# This settings breaks rules for many things, which require carrier
# before they can start, e.g. L2 link protocols, link authentication,
# ipv4 duplicate address detection, ipv6 duplicate detection will
# happen "post-mortem" and maybe even cause to disable ipv6 at all.
# See also "man ifcfg" for further information.
#
LINK_REQUIRED="auto"

## Type:        string
## Default:     ""
#
# Allows to specify a comma separated list of debug facilities used
# by wicked. Negated facility names can be prepended by a "-", e.g.:
#   "all,-events,-socket,-objectmodel,xpath,xml,dbus"
#
# When set, wicked debug level is automatically enabled.
# For a complete list of facility names, see: "wicked --debug help".
#
WICKED_DEBUG=""

## Type:        list("",error,warning,notice,info,debug,debug1,debug2,debug3)
## Default:     ""
#
# Allows to specify wicked debug level. Default level is "notice".
#
WICKED_LOG_LEVEL=""
## Path:	Network/General
## Description:	Global network configuration
#
# Note: 
# Most of the options can and should be overridden by per-interface
# settings in the ifcfg-* files.
#
# Note: The ISC dhclient started by the NetworkManager is not using any
# of these options -- NetworkManager is not using any sysconfig settings.
#

## Type:        yesno
## Default:     yes
# If ifup should check if an IPv4 address is already in use, set this to yes.
#
# Make sure that packet sockets (CONFIG_PACKET) are supported in the kernel,
# since this feature uses arp, which depends on that.
# Also be aware that this takes one second per interface; consider that when
# setting up a lot of interfaces. 
CHECK_DUPLICATE_IP="yes"

## Type:        list(auto,yes,no)
## Default:     auto
# If ifup should send a gratuitous ARP to inform the receivers about its
# IPv4 addresses. Default is to send gratuitous ARP, when duplicate IPv4
# address check is enabled and the check were sucessful.
#
# Make sure that packet sockets (CONFIG_PACKET) are supported in the kernel,
# since this feature uses arp, which depends on that.
SEND_GRATUITOUS_ARP="auto"

## Type:        yesno
## Default:     no
# Switch on/off debug messages for all network configuration stuff. If set to no
# most scripts can enable it locally with "-o debug".
DEBUG="no"

## Type:	integer
## Default:	30
#
# Some interfaces need some time to come up or come asynchronously via hotplug.
# WAIT_FOR_INTERFACES is a global wait for all mandatory interfaces in
# seconds. If empty no wait occurs.
#
WAIT_FOR_INTERFACES="30"

## Type:	yesno
## Default:	yes
#
# With this variable you can determine if the SuSEfirewall when enabled
# should get started when network interfaces are started.
FIREWALL="yes"

## Type:	int
## Default:	30
#
# When using NetworkManager you may define a timeout to wait for NetworkManager
# to connect in NetworkManager-wait-online.service.  Other network services
# may require the system to have a valid network setup in order to succeed.
#
# This variable has no effect if NetworkManager is disabled.
#
NM_ONLINE_TIMEOUT="30"

## Type:        string
## Default:     "dns-resolver dns-bind ntp-runtime nis"
#
# This variable defines the start order of netconfig modules installed
# in the /etc/netconfig.d/ directory.
#
# To disable the execution of a module, don't remove it from the list
# but prepend it with a minus sign, "-ntp-runtime".
#
NETCONFIG_MODULES_ORDER="dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"

## Type:        yesno
## Default:     no
#
# Enable netconfig verbose reporting.
#
NETCONFIG_VERBOSE="no"

## Type:	yesno
## Default:	no
#
# This variable enables netconfig to always force a replace of modified
# files and automatically enables the -f | --force-replace parameter.
#
# The purpose is to use it as workaround, when some other tool trashes
# the files, e.g. /etc/resolv.conf and you observe messages like this
# in your logs on in "netconfig update" output:
# ATTENTION: You have modified /etc/resolv.conf. Leaving it untouched.
#
# Please do not forget to also report a bug as we have a system policy
# to use netconfig.
#
NETCONFIG_FORCE_REPLACE="no"

## Type:        string
## Default:     "auto"
#
# Defines the DNS merge policy as documented in netconfig(8) manual page.
# Set to "" to disable DNS configuration.
#
NETCONFIG_DNS_POLICY="auto"

## Type:        string(resolver,bind,dnsmasq,)
## Default:     "resolver"
#
# Defines the name of the DNS forwarder that has to be configured.
# Currently implemented are "bind", "dnsmasq" and "resolver", that
# causes to write the name server IP addresses to /etc/resolv.conf
# only (no forwarder). Empty string defaults to "resolver".
#
NETCONFIG_DNS_FORWARDER="resolver"

## Type:        yesno
## Default:     yes
#
# When enabled (default) in forwarder mode ("bind", "dnsmasq"),
# netconfig writes an explicit localhost nameserver address to the
# /etc/resolv.conf, followed by the policy resolved name server list
# as fallback for the moments, when the local forwarder is stopped.
#
NETCONFIG_DNS_FORWARDER_FALLBACK="yes"

## Type:        string
## Default:     ""
#
# List of DNS domain names used for host-name lookup.
# It is written as search list into the /etc/resolv.conf file.
#
NETCONFIG_DNS_STATIC_SEARCHLIST="apopader.site"

## Type:        string
## Default:     ""
#
# List of DNS nameserver IP addresses to use for host-name lookup.
# When the NETCONFIG_DNS_FORWARDER variable is set to "resolver",
# the name servers are written directly to /etc/resolv.conf.
# Otherwise, the nameserver are written into a forwarder specific
# configuration file and the /etc/resolv.conf does not contain any
# nameservers causing the glibc to use the name server on the local
# machine (the forwarder). See also netconfig(8) manual page.
#
NETCONFIG_DNS_STATIC_SERVERS="127.0.0.1 194.25.2.129"

## Type:        string
## Default:     "auto"
#
# Allows to specify a custom DNS service ranking list, that is which
# services provide preferred (e.g. vpn services), and which services
# fallback settings (e.g. avahi).
# Preferred service names have to be prepended with a "+", fallback
# service names with a "-" character. The special default value
# "auto" enables the current build-in service ranking list -- see the
# netconfig(8) manual page -- "none" or "" disables the ranking.
#
NETCONFIG_DNS_RANKING="auto"

## Type:        string
## Default:     ""
#
# Allows to specify options to use when writting the /etc/resolv.conf,
# for example:
# 	"debug attempts:1 timeout:10"
# See resolv.conf(5) manual page for details.
#
NETCONFIG_DNS_RESOLVER_OPTIONS=""

## Type:        string
## Default:     ""
#
# Allows to specify a sortlist to use when writting the /etc/resolv.conf,
# for example:
# 	130.155.160.0/255.255.240.0 130.155.0.0"
# See resolv.conf(5) manual page for details.
#
NETCONFIG_DNS_RESOLVER_SORTLIST=""

## Type:        string
## Default:     "auto"
#
# Defines the NTP merge policy as documented in netconfig(8) manual page.
# Set to "" to disable NTP configuration.
#
NETCONFIG_NTP_POLICY="auto"

## Type:        string
## Default:     ""
#
# List of NTP servers.
#
NETCONFIG_NTP_STATIC_SERVERS=""

## Type:        string
## Default:     "auto"
#
# Defines the NIS merge policy as documented in netconfig(8) manual page.
# Set to "" to disable NIS configuration.
#
NETCONFIG_NIS_POLICY="auto"

## Type:        string(yes,no,)
## Default:     "yes"
#
# Defines whether to set the default NIS domain. When enabled and no domain
# is provided dynamically or in static settings, /etc/defaultdomain is used.
# Valid values are:
#  - "no" or ""         netconfig does not set the domainname
#  - "yes"              netconfig sets the domainname according to the
#                       NIS policy using settings provided by the first
#                       iterface and service that provided it.
#  - "<interface name>" as yes, but only using settings from interface.
#
NETCONFIG_NIS_SETDOMAINNAME="yes"

## Type:        string
## Default:     ""
#
# Defines a default NIS domain.
#
# Further domain can be specified by adding a "_<number>" suffix to
# the NETCONFIG_NIS_STATIC_DOMAIN and NETCONFIG_NIS_STATIC_SERVERS
# variables, e.g.: NETCONFIG_NIS_STATIC_DOMAIN_1="second".
#
NETCONFIG_NIS_STATIC_DOMAIN=""

## Type:        string
## Default:     ""
#
# Defines a list of NIS servers for the default NIS domain or the
# domain specified with same "_<number>" suffix.
#
NETCONFIG_NIS_STATIC_SERVERS=""

## Type:	string
## Default:	''
#
# Set this variable global variable to the ISO / IEC 3166 alpha2
# country code specifying the wireless regulatory domain to set.
# When not empty, ifup-wireless will be set in the wpa_supplicant
# config or via 'iw reg set' command.
#
# Note: This option requires a wpa driver supporting it, like
# the 'nl80211' driver used by default since openSUSE 11.3.
# When you notice problems with your hardware, please file a
# bug report and set e.g. WIRELESS_WPA_DRIVER='wext' (the old
# default driver) in the ifcfg file.
# See also "/usr/sbin/wpa_supplicant --help" for the list of
# available wpa drivers.
#
WIRELESS_REGULATORY_DOMAIN=''

Lässt sich damit die Fragestellung lösen ?
Gruß Padersuse
 
S

spoensche

Das Problem ist nicht der rndc-key.
Anhand der Logmeldungen erkennt man sehr gut, dass es sich um die DNSSEC Keys handelt.
Code: 
Feb 26 06:46:09 ketlin1 named[3663]: dns_rdata_fromtext: /var/lib/named/dyn//managed-keys.bind:10: near eol: unexpected end of input
Feb 26 06:46:09 ketlin1 named[3663]: managed-keys-zone: loading from master file /var/lib/named/dyn//managed-keys.bind failed: unexpected end of input
Feb 26 06:46:09 ketlin1 named[3663]: managed-keys-zone: loaded serial 8

Daraus entstehen die Folgefehler wie zB.:
Code: 
Feb 26 06:46:12 ketlin1 named[3663]: broken trust chain resolving '_.opensuse.pool.ntp.org/A/IN': 147.75.42.129#53

Der Defaultwert für die DNSSEC Validierung ist:
Code: 
dnssec-validation yes;

Da du in der /etc/sysconfig/named die Variable für den Include der /etc/bind.keys auskommentiert hast, tritt der Fehler mit der managed-keys.bind auf.

Du musst also die Datei /etc/sysconfig/named anpassen und die # vor der Variable, mit dem Verweis auf /etc/bind.keys entfernen.
 
OP
P

padersuse

Hallo spoensche,
danke, dass Du antwortest. ich habe in der Datei /etc/named.conf folgende Anweisung gesetzt :
Code: 
dnssec-validation yes;
,

wundere mich nur, dass im Kommentar vorher das als obsolet genannt wird :
Code: 
# enable DNSSEC validation
        #
        # If BIND logs error messages about the root key being expired, you
        # will need to update your keys. See https://www.isc.org/bind-keys
        #
        # The dnssec-enable option has been obsoleted and no longer has any effect.
        # DNSSEC responses are always enabled if signatures and other DNSSEC data are present.

        # dnssec-validation yes (default), indicates that a resolver
        # (a caching or caching-only name server) will attempt to validate
        # replies from DNSSEC enabled (signed) zones. To perform this task
        # the server also needs either a valid trusted-keys clause
        # (containing one or more trusted-anchors) or a managed-keys clause.
        # If you have problems with forwarders not returning signed responses,
        # set this to "no", but be aware that this may create security issues
        # so better switch to a forwarder which supports DNSSEC!

in der Datei /etc/sysconfig/named habe ich die Anweisung gesetzt :

Code: 
NAMED_CONF_INCLUDE_FILES="/etc/bind.keys"

Nach einem Neustart von bind bekomme ich immernoch dieselbe Fehlermeldung :
Code: 
Feb 27 11:31:37 ketlin1 named[25283]: dns_rdata_fromtext: /var/lib/named/dyn//managed-keys.bind:10: near eol: unexpected end of input
Feb 27 11:31:37 ketlin1 named[25283]: managed-keys-zone: loading from master file /var/lib/named/dyn//managed-keys.bind failed: unexpected end of input

Muss man ggf. vielleicht doch selbst einen key erzeugen ?
Gruß Padersuse
 
S

spoensche

Die Aktivierung von DNSSEC ist obsolete.

Du musst
Code: 
dnssec-validation auto;

setzen. Per default hat es den Wert "yes".

Wenn du für deine Zone kein DNSSEC verwenden willst, dann kommentiere die Zeile mit den "managed-keys-directory" aus.
 
OP
P

padersuse

hallo spoensche,

die Einstellung
Code: 
auto
in der /etc/named.conf Datei hat die Lösung gebracht :
Code: 
dnssec-validation auto;
        managed-keys-directory "/var/lib/named/dyn/";

Aus dem Journal des Name-Dienstes :
Code: 
Feb 27 13:50:38 ketlin1 named[26200]: none:98: 'max-cache-size 90%' - setting to 14292MB (out of 15880MB)
Feb 27 13:50:38 ketlin1 named[26200]: configuring command channel from '/etc/rndc.key'
Feb 27 13:50:38 ketlin1 named[26200]: command channel listening on 127.0.0.1#953
Feb 27 13:50:38 ketlin1 named[26200]: managed-keys-zone: loaded serial 9
Feb 27 13:50:38 ketlin1 named[26200]: zone apopader.site/IN: loaded serial 2022250201
Feb 27 13:50:38 ketlin1 named[26200]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Feb 27 13:50:38 ketlin1 named[26200]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42
Feb 27 13:50:38 ketlin1 named[26200]: zone localhost/IN: loaded serial 42
Feb 27 13:50:38 ketlin1 named[26200]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2022250201
Feb 27 13:50:38 ketlin1 named[26200]: all zones loaded
Feb 27 13:50:38 ketlin1 named[26200]: running
Feb 27 13:50:38 ketlin1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Feb 27 13:50:38 ketlin1 named[26200]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.DNSKEY ID 20326 is now trusted, waiving the normal 30-day wa>

Ich habe den Thread mal etwas umbenannt, da dann aussagekräftiger
Ich danke Dir und marce
Gruß
Padersuse
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Oben