DNS services no longer work due to missing files

Deron Meranda deron.meranda at gmail.com
Thu Jul 22 08:33:57 UTC 2010

> ....   The change that is
> needed is to change the "include" lines in /etc/named.conf, deleting the
> lines:
>     include "/etc/pki/dnssec-keys//named.dnssec.keys";
>     include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";
> and inserting a single line:
>     include "/etc/named.iscdlv.key";

That file does not seem to be available for Fedora 11.

So for the benefit of the F11 folks who got hit with this bug
but didn't likewise get a patch or fix, you have a couple options.

1. Disable dnssec in bind.

Edit the /etc/named.conf file and comment out (or change to "no") the
dnssec-enable option.   Also comment out all the includes at the bottom
that try to load the top level keys  (comment with two "//" to the end
of the line),

    include "/etc/pki/dnssec-keys//named.dnssec.keys";
    include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";


2. Use dnssec by manually install the keys.

Download the current official key from ISC.  For information
(including useful instructions) see the web page

and then download the current official key, in named format,

   cd /etc/pki/dnssec-keys
   wget http://ftp.isc.org/www/dlv/dlv.isc.org.named.conf

if you're serious about security, you should validate the PGP
signature given on their web site.

Then also create the symlink (or copy the file) to its /etc location
so other programs (unbound) find it where expected,

   ln -s /etc/pki/dnssec-keys/dlv.isc.org.named.conf  /etc/named.iscdlv.key

(The reason you need to keep the key or a copy under /etc/pki/... is so
that it can be read if running named in a chroot environment)

Now edit the /etc/named.conf file and replace the include statements
at the bottom that reference /etc/pki, with just a single include

   include "/etc/pki/dnssec-keys/dlv.isc.org.named.conf";

Your bind/named DNS server should once again be happy,
and using dnssec.
Deron Meranda

More information about the users mailing list