DNSSEC's sorted zone

Mark Andrews marka at isc.org
Thu Jan 13 00:14:27 UTC 2011 

In message <alpine.LFD.1.10.1101121517240.30192 at newtla.xelerance.com>, Paul Wou
ters writes:
> On Wed, 12 Jan 2011, Mark Elkins wrote:
> 
> > dnssec-signzone  -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
> > increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1
> > example.com.signed
> >
> > A minute later - I run the same command - but output to a different
> > file...   -f example.com.sign-2
> >
> > A 'diff' of the two output files gives lots of differences - apart from
> > the zone creation time.
> >
> > If I include the "-n ncpus" as "-n 1" - then the files are the same
> > (except for the creation time).

dnssec-signzone uses multiple threads to sign the zone a node at a
time.  These work items finish in a non-deterministic manner leading
to a different order in the resulting text file being produced.
This is done after the zone was sorted to generate the NSEC records.

> > I believe that the data is fundamentally the same - but it is partially
> > re-ordered if there are multiple threads. This is not what I would have
> > expected - having had it been drummed into me that dnssec-signzone will
> > first sort the zone then generate all the RRSIG records - etc...
> > I find this disturbing. It appears to only be doing this on CNAME
> > records.
> 
> I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
> and canonicalises the zone. Later on, you can then also use this command
> to seperate unsigned data from dnssec, and merge in data (eg updates)
> from multiple zone versions while re-using previous RRSIGs

Firstly there is no need to pre-sort the zone.  If one want to
canonicalises the zone named-checkzone will do that fine.
dnssec-signzone will workout if it needs to regenerate signatures
or preserve the existing signatures.

> Paul
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list