Bind ignoring signing -nsec3param when inline-signing a zone
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Jun 5 12:53:04 UTC 2014
I have a suspect: May it be that "rndc signing nsec3param" adds the
NSEC3PARAM RR internally to the unsigned zone file. Thus, calling "rndc
signing nsec3param" does not work before the initial zone transfer.
This would mean I have to check when the initial transfer succeeded
before calling "rndc signing nsec3param" - this is not nice.
Are there any workarounds for that? IMO it would be cool if Bind would
store NSEC3 options outside of the zone.
Thanks
Klaus
On 05.06.2014 14:02, Klaus Darilion wrote:
> Hi!
>
> Today I managed that Bind 9.9.5 created a signed zone with all RRs
> signed except the SOA. The private RRs showed "finshed signing". Only
> after another "rndc loadkeys" also the SOA was signed.
>
> Unfortunately I can not reproduce the problem, but I suspect it may be
> related to the order how I add the zone for signing to Bind, as up to
> now I sent lots of rndc commands to Bind.
>
> Therefore I simplified my provision to only:
>
> 1. Create the keys
>
> 2. Add the zone to Bind via rndc:
>
> zone "pernau.at" {
> type slave;
> file "/etc/bind/zones/p/pernau.at/pernau.at";
> masters { 88.198.53.113; };
> key-directory "/etc/bind/keys/p/pernau.at";
> auto-dnssec maintain;
> inline-signing yes;
> };
>
> Is it safe to consider that this will start the incoming zone transfer
> and signing (without the need for an "rndc sign" command)?
>
> 3. Configure NSEC3:
> rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at
>
> The problem is, that the nsec3param command is received by Bind but
> ignored: as you can see there is no zone_addnsec3chain() logging:
>
>
> 11:47:53: received control channel command 'addzone pernau.at {...}'
> 11:47:53: zone pernau.at added to view _default via addzone
> 11:47:53: received control channel command 'signing -nsec3param 1 0 10
> F2195A3D604B7EC8 pernau.at'
> 11:47:53: zone pernau.at/IN (unsigned): Transfer started.
> 11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
> connected using 83.136.34.28#53286
> 11:47:53: zone pernau.at/IN (unsigned): transferred serial 85
> 11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
> Transfer completed: 1 messages, 78 records, 2007 bytes, 0.033 secs
> (60818 bytes/sec)
> 11:47:53: zone pernau.at/IN (signed): loaded serial 85
> 11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
> 11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
> 11:47:53: zone pernau.at/IN (signed): sending notifies (serial 85)
> 11:47:53: zone pernau.at/IN (signed): reconfiguring zone keys
> 11:47:53: zone pernau.at/IN (signed): next key event: 05-Jun-2014
> 12:47:53.563
>
>
>
> # rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at
> request queued
>
> 11:48:23: received control channel command 'signing -nsec3param 1 0 10
> E1BDC7F3624A9508 pernau.at'
> 11:48:23: zone pernau.at/IN (signed):
> zone_addnsec3chain(1,CREATE,10,E1BDC7F3624A9508)
> 11:48:23: zone pernau.at/IN (signed): sending notifies (serial 106)
>
> As you see, only after the second "rndc signing -nsec3param" command
> Bind switched to NSEC3. I think this is due to the nsec3 command is sent
> immediately after the "add zone" command.
>
>
> So, is this a bug in Bind or do I have to provision Bind different?
>
>
> Another question: is it possible to instruct Bind to use NSEC3 from the
> beginning? I read this can be done with dynamic updates, but in my setup
> with inline-signing I suspect this is not possible.
>
> Thanks
> Klaus
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list