From Newsgroup: comp.protocols.dns.bind

When a domain configuration file contains an include line for the key, where is that include looking for the key file?
I'm in a situation where the keys seems to work fine for updating DNSSEC, but nsdiff complains the key file is not found.
Obviously something in named.conf or the domain file is off as far as nstiff is concerned, and I’d like to fix it, but it’s hard to debug when the actual key update is working.
In Named.conf I have
key-directory "/usr/local/etc/namedb/working/keys”;
And that is where the keyholes are stored.
But nsdiff returns an error the key file cannot be found.
Or I am using nstiff improperly?
nsdiff -k admin.key covisp.net working/master/covisp.net
nsdiff: loading zone covisp.net. via AXFR from ns1.covisp.net.
zone covisp.net/IN: loaded serial 2019022695 (DNSSEC signed)
OK
nsdiff: loading zone covisp.net. from file working/master/covisp.net dns_master_load: working/master/covisp.net:48: Kcovisp.net.+007+34178.key: file not found
dns_master_load: working/master/covisp.net:49: Kcovisp.net.+007+46143.key: file not found
zone covisp.net/IN: loading from master file working/master/covisp.net failed: file not found
zone covisp.net/IN: not loaded due to errors.
nsdiff: missing SOA record
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--1870870841-273194879-1593965004=:15871
Content-Type: text/plain; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.DEB.2.20.2007051703291.15871@grey.csi.cam.ac.uk>

@lbutlr <kremels@kreme.com> wrote:

When a domain configuration file contains an include line for the key,
where is that include looking for the key file?

=2E.. good question, I have avoided having to find that out ...

I'm in a situation where the keys seems to work fine for updating
DNSSEC, but nsdiff complains the key file is not found.

Well, nsdiff uses named-compilezone to canonicalize zone files, and the named-compilezone manual lists a couple of options that affect $INCLUDE:

-t directory
Chroot to directory so that include directives in the configu= ra=E2=80=90
tion file are processed as if run by a similarly chrooted nam= ed.

-w directory
chdir to directory so that relative filenames in master f= ile
$INCLUDE directives work. This is similar to the direct= ory
clause in named.conf.

So it sounds like "the current directory" is the answer to your question.

However, I don't think you need to $INCLUDE key files. I think maybe that
used to be a thing when signing a zone had to involve dnssec-signzone? But nowadays even dnssec-signzone will automatically insert public keys into
the signed zone.

When you're doing automatic signing with named (which you have to do if
you are using nsupdate to alter the zone), the keys are included in the
signed zone based on their timing metatata, which you can set with dnssec-settime. [There's also the new key policy stuff which I have not
yet tried out properly.]

So the actual answer is, you don't explicitly $INCLUDE the keys in the
zone, so questions about current directories do not arise.

Does that make sense?

Tony.
--=20
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Lough Foyle to Carlingford Lough: Southwest veering west, 6 to gale 8, then veering northwest 4 to 6 later. Moderate or rough, becoming slight or moder= ate
south of rathlin island. Showers,thundery at first. Good, occasionally moderate.
--1870870841-273194879-1593965004=:15871--
--- Synchronet 3.18a-Linux NewsLink 1.113

From Newsgroup: comp.protocols.dns.bind

On 05 Jul 2020, at 10:12, Tony Finch <dot@dotat.at> wrote:

@lbutlr <kremels@kreme.com> wrote:

When a domain configuration file contains an include line for the key,
where is that include looking for the key file?

... good question, I have avoided having to find that out ...

Heh.

So it sounds like "the current directory" is the answer to your question.

That would certainly explain why it fails then.

However, I don't think you need to $INCLUDE key files. I think maybe that used to be a thing when signing a zone had to involve dnssec-signzone? But nowadays even dnssec-signzone will automatically insert public keys into
the signed zone.

Ah, that would be good. When I resolve the other issue I posted about I will check that.
My configuration started in … um… 1995? I'm sure I should start all over with the 9.16 manual from scratch, but you know, I have all this TV to watch. 😃

Does that make sense?

It does, and thank you.
--
It's against my programming to impersonate a deity.
--- Synchronet 3.18a-Linux NewsLink 1.113