bind makes RRSIG disappear?
Cathy Almond
cathya at isc.org
Mon Feb 7 10:46:14 UTC 2011
Hi Gilles,
You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds "none" instead of being empty.
There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120). It is currently under
investigation/discussion.
Many thanks for bringing this to our attention.
Cathy
On 07/02/11 07:29, Gilles Massen wrote:
> Mark,
>
> On 02/06/2011 10:41 PM, Mark Andrews wrote:
>> Mark Andrews writes:
>>>
>>>>
>>>>> Does your configuration also have an "allow-update" setting
>>>>> (other than "none") for it, maybe only for the instance that
>>>>> is giving you trouble? In that case BIND will take it that you
>>>>> want it to do resigning as the RRSIGs approach expiry.
>>>>
>>>> The only allow-update is in the options section, and none.
>>>
>>> Get rid of the allow-update and allow the default of no acl to work.
>>
>> The test that decides that the zone may need to be re-signed doesn't
>> take the "none;" acl into account. Currently it is
>> "if (acl != NULL || ssu != NULL)" and should become
>> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
>
> Thanks, this works indeed.
>
> This raises a few questions, as I'd really like to understand bind's
> behavior:
>
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
>
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
>
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.
>
> Best,
> Gilles
>
>
More information about the bind-users
mailing list