DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1
Shumon Huque
shuque at isc.upenn.edu
Wed Jul 8 20:50:05 UTC 2009
Upgrading from 9.6.0-P1 to 9.6.1 on my master server
unexpectedly changed DNSKEY dynamic update behavior. My
tools to secure zones rely on insertion of DNSKEY
records via dynamic update. This stopped working when
I upgraded to 9.6.1.
The culprit seems to be:
*** bind-9.6.0-P1/bin/named/update.c Wed Nov 19 01:21:45 2008
--- bind-9.6.1/bin/named/update.c Thu Apr 30 03:03:37 2009
***************
*** 3971,3977 ****
}
#endif
#ifndef ALLOW_INSECURE_TO_SECURE
! if (had_dnskey && !has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: DNSKEY record added");
result = DNS_R_REFUSED;
--- 3981,3987 ----
}
#endif
#ifndef ALLOW_INSECURE_TO_SECURE
! if (!had_dnskey && has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: DNSKEY record added");
result = DNS_R_REFUSED;
I'm guessing this is related to
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
Admittedly the code didn't match the pre-processor definition
in 9.6.0-P1. But I was assuming secure<->insecure zone transition
capability was turned on by default in bind 9.6. At least the file
that documents this feature (NSEC3-NOTES) doesn't mention anything
about it not being on by default.
For type time being, I've recompiled to fix the problem with:
CFLAGS="-DALLOW_SECURE_TO_INSECURE -DALLOW_INSECURE_TO_SECURE"
Is there any reason these flags should not be set by default? And
if not, could I ask that the documentation (NSEC3-NOTES) be
updated to reflect what needs to be done.
Also the private type record seems to have changed from 65535 to
65534 but this hasn't been updated in NSEC3-NOTES.
Thanks!
--Shumon.
More information about the bind-users
mailing list