head scratcher: nsupdate, Bind views, and TLSA record updates

Mark Andrews marka at isc.org
Wed Nov 1 04:22:18 UTC 2017 

In message <1509508757.25100.19.camel at ns.five-ten-sg.com>, Carl Byington writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On Tue, 2017-10-31 at 17:16 -0700, Kevin via bind-users wrote:
> > $ dig TLSA _25._tcp.mail.thesandiegos.com @75.149.33.153 +dnssec
> > +short
> > <crickets>
> 
> > I'm really at a loss as to what's going on inside of Bind.
> 
> dig TLSA _25._tcp.mail.thesandiegos.com @75.149.33.153
> 
> ;; AUTHORITY SECTION:
> _tcp.mail.thesandiegos.com. 3600 IN NS ns1._tcp.mail.thesandiegos.com.
> 
> ;; ADDITIONAL SECTION:
> ns1._tcp.mail.thesandiegos.com. 3600 IN A 75.149.33.153
> 
> 
> It looks like you have another intermediate zone, but it might not be
> delegated properly.

More correctly _tcp.mail.thesandiegos.com is delegated to
ns1._tcp.mail.thesandiegos.com (75.149.33.153) but the machine is
not configured to serve that zone.

Kevin,
	Unless you have good reason to have a delegation for
_tcp.mail.thesandiegos.com I would remove it.  If you do have
a reason to have it then you need to add the zone and add a
secure delegation to it.

Remember nsupdate can add records for names that are below a zone
cut.  This is necessary to add glue records.  These records are
hidden until the zone cut is removed.  This is why
123.testtlsa.mail.thesandiegos.com is visible to the world (no zone
cut) but _25._tcp.mail.thesandiegos.com isn't (zone cut at
_tcp.mail.thesandiegos.com).

server 1.2.3.4
zone thesandiegos.com
key updatekey xyz123...
add 123.testtlsa.mail.thesandiegos.com. 3600 IN TLSA 3 1 1 abc123...
add _25._tcp.mail.thesandiegos.com. 3600 IN TLSA 3 1 1 abc123...
local 127.0.0.1
show
send

Mark

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAln5RnoACgkQL6j7milTFsGkmACfdJpGYx5XXSBE9Ibxp7YunJMC
> 1Q0An1jrE9g5nxurHZwt4f4DIp5d9a9V
> =OjOR
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list