Skip navigation

Monthly Archives: May 2014

This is a peculiar series of errors but I’m certain that I’m not the first to encounter. If you find yourself in need of the Authen::Libwrap perl library and have tried the usual install mechanisms YUM and CPAN without success then keep reading. the problem is you are missing a few packages not diretly listed in the prerequisites, namely tcp_wrappers, tcp_wrappers-devel, and the perl modules Local::Lib and Test::Exceptions. The Test module is used during the manual build of the Authen::Libwrap module. Soo…

$sudo yum install tcp_wrappers tcp_wrappers-devel
$sudo perl -MCPAN -e install Test::Exceptions
$sudo perl -MCPAN -e install Local::Lib

Then you’ll need to manually build the Authen::Libwrap libraries if your repo doesn’t have them:
$wget http://www.cpan.org/authors/id/D/DM/DMUEY/Authen-Libwrap-0.22.tar.gz
$cd Authen-Libwrap-0.22 && perl Makefile.PL && make
$make test
$sudo make install

If you start seeing messages like
validating @0xb4a348a98: choices-st.truste.com AAAA: no valid signature found
validating @0xb4224288: mozilla.com SOA: no valid signature found
validating @0xb42f74910: choices-st.truste.com AAAA: no valid signature found

in your syslog, then check your BIND config. On RedHat systems it’s located in (/etc/named.conf) and if DNSEC is enabled as it should be it will contain a set of configuration options that read:
dnssec-enable yes;
dnssec-validation yes;
dnssec-validation auto;
dnssec-lookaside auto;

The ambiguity here resides in the config line dnssec-validation yes; which instructs named to validate the signed keys but without further direction does not provide a set of root keys to compare against, which results in named not being able to validate the signatures.

To correct this, change the ‘yes’ option to ‘auto’ which will instruct named to use the set of compiled root keys that it ships with. Your DNSSEC should look something like this:
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

Restart BIND/named and move on.