Bind ignoring signing -nsec3param when inline-signing a zone

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jun 5 12:02:53 UTC 2014 

Hi!

Today I managed that Bind 9.9.5 created a signed zone with all RRs
signed except the SOA. The private RRs showed "finshed signing". Only
after another "rndc loadkeys" also the SOA was signed.

Unfortunately I can not reproduce the problem, but I suspect it may be
related to the order how I add the zone for signing to Bind, as up to
now I sent lots of rndc commands to Bind.

Therefore I simplified my provision to only:

1. Create the keys

2. Add the zone to Bind via rndc:

zone "pernau.at" {
  type slave;
  file "/etc/bind/zones/p/pernau.at/pernau.at";
  masters { 88.198.53.113; };
  key-directory "/etc/bind/keys/p/pernau.at";
  auto-dnssec maintain;
  inline-signing yes;
};

Is it safe to consider that this will start the incoming zone transfer
and signing (without the need for an "rndc sign" command)?

3. Configure NSEC3:
rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at

The problem is, that the nsec3param command is received by Bind but
ignored: as you can see there is no zone_addnsec3chain() logging:


11:47:53: received control channel command 'addzone pernau.at {...}'
11:47:53: zone pernau.at added to view _default via addzone
11:47:53: received control channel command 'signing -nsec3param 1 0 10
F2195A3D604B7EC8 pernau.at'
11:47:53: zone pernau.at/IN (unsigned): Transfer started.
11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
connected using 83.136.34.28#53286
11:47:53: zone pernau.at/IN (unsigned): transferred serial 85
11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
Transfer completed: 1 messages, 78 records, 2007 bytes, 0.033 secs
(60818 bytes/sec)
11:47:53: zone pernau.at/IN (signed): loaded serial 85
11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
11:47:53: zone pernau.at/IN (signed): sending notifies (serial 85)
11:47:53: zone pernau.at/IN (signed): reconfiguring zone keys
11:47:53: zone pernau.at/IN (signed): next key event: 05-Jun-2014
12:47:53.563



# rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at
request queued

11:48:23: received control channel command 'signing -nsec3param 1 0 10
E1BDC7F3624A9508 pernau.at'
11:48:23: zone pernau.at/IN (signed):
zone_addnsec3chain(1,CREATE,10,E1BDC7F3624A9508)
11:48:23: zone pernau.at/IN (signed): sending notifies (serial 106)

As you see, only after the second "rndc signing -nsec3param" command
Bind switched to NSEC3. I think this is due to the nsec3 command is sent
immediately after the "add zone" command.


So, is this a bug in Bind or do I have to provision Bind different?


Another question: is it possible to instruct Bind to use NSEC3 from the
beginning? I read this can be done with dynamic updates, but in my setup
with inline-signing I suspect this is not possible.

Thanks
Klaus

More information about the bind-users mailing list