Primary zone not fully maintained by BIND
Sandro
lists at penguinpee.nl
Tue May 24 22:20:15 UTC 2022
On 24-05-2022 20:57, Jan-Piet Mens via bind-users wrote:
> Slightly off-topic, but I believe ISC reccomend using a custom policy
> instead of `default' in case the default changes in future.
Yes, sort of. The documentation hints at the fact that the default
policy is subject to change. I meanwhile grabbed the
dnssec-policy.default file from GitLab and using that as a locally
defined policy.
> That surprises me a bit; I've always maintained BIND will not
> validate a DNSSEC-signed zone it is authoritative for. Unless you
> mean RRSIGs were still valid.
My terminology might not have been accurate. It is/were the RRSIGS that
were outdated for all but the SOA record. I used the command provided in
the documentation:
delv @10.0.0.242 -a Kpenguinpee.nl.+013+56132.key \
+root=penguinpee.nl penguinpee.nl. SOA +multiline
The key file here is the DNSKEY converted into a trust-anchor as per
BIND ARM [1]. Checking any other record with delv returned 'RRSIG has
expired'.
> BIND should be signing the zone(s) with dnssec-policy, yes, and the
> dynamically-updateable zone will be signed on update and SOA serial
> increased automatically.
>
> I wonder whether it's getting confused (can software get confused? I
> suppose so) with the two identically-named zones. If this were my
> installation and I had to use views, I'd try specifying distinct
> policies for the zones to see if that makes a difference.
That thought, regarding the same zone in different views, had occurred
to me. However, having to specify different policies for different views
would be at best a workaround. I'd rather find out what it is that
confuses BIND and file a bug for it.
Looking at it from a users perspective, on a large setup with multiple
zones/views (not mine) one would hardly want to setup a separate policy
for every zone/view.
For now, everything is looking fine again. But if it fails again, I will
take another close look and hopefully something will turn up, that
points me in the right direction.
Should it be the views, is there a specific logging category I should
increase verbosity on?
[1]
https://bind9.readthedocs.io/en/latest/dnssec-guide.html?highlight=delv#verification
-- Sandro
More information about the bind-users
mailing list