CDS-deletion record "CDS 0 0 0 00" is failing with bind-9.14.9 and bind-9.14.8

Tom lists at verreckte-cheib.ch
Sat Feb 22 10:03:34 UTC 2020 

Hi Mark

Heureka..., that did the trick. The zone is inline signed and after I
added the already existing DNSKEY records in the raw zone file, the
CDS/CDNSKEY deletion record was accepted and the zone was loaded.

Many thanks.
Kind regards,
Tom


On 21.02.20 21:08, Mark Andrews wrote:
> There are no DNSKEY records in that zone.  CDS and CDNSKEY must be signed for the
> parent to accept them.  There must be DNSKEY records present for them to be signed.
> Add a DNSKEY record to that test zone and it will load.
> 
> For inline zone just copy the final DNSKEY RRset from the signed version of the 
> zone to the raw zone when adding the deletion CDS and CDNSKEY records.  Wait for
> the parent zone to remove the DS records, then remove the CDS, CDNSKEY, and DNSKEY
> records from the raw zone.
> 
> Mark
> 
>> On 21 Feb 2020, at 18:31, Tom <lists at verreckte-cheib.ch> wrote:
>>
>> Hi Mark
>>
>> Thank you for your answer. BIND is definitely running the current version:
>>
>> $ rndc status
>> version: BIND 9.16.0 (Stable Release) <id:6270e60> ()
>> running on server: Linux x86_64 3.10.0-1062.4.3.el7.x86_64 #1 SMP Wed Nov 13 23:58:53 UTC 2019
>> boot time: Thu, 20 Feb 2020 16:30:15 GMT
>> last configured: Thu, 20 Feb 2020 16:31:25 GMT
>> configuration file: /etc/named/named.conf (/opt/chroot/bind/etc/named/named.conf)
>> CPUs found: 4
>> worker threads: 4
>> UDP listeners per interface: 4
>> number of zones: 110 (98 automatic)
>> debug level: 0
>> xfers running: 0
>> xfers deferred: 0
>> soa queries in progress: 0
>> query logging is OFF
>> recursive clients: 0/900/1000
>> tcp clients: 2/150
>> TCP high-water: 103
>> server is up and running
>>
>>
>> I've removed the CDS/CDNSKEY records from the zone with dnssec-settime -K [key-directory] -D sync now Kexample.com...
>>
>> So the CDS/CDNSKEY are no more longer existing in the zone and are no longer queryable with dig -> as expected:
>> $ dig @127.0.0.1 +noall +answer cds example.com -> No output
>> $ dig @127.0.0.1 +noall +answer cdnskey example.com -> No output
>>
>> So from my point of view, I have now a clear starting point where no longer CDS/CDNSKEY records are published.
>>
>> When I now configure the explicit deletion record(s) within the zone for "CDS" and/or "CDS/CDNSKEY", then BIND is still failing with the mentioned error.
>>
>> The zonefile looks like this:
>> -------- SCHNIPP --------
>> $TTL 3600
>> example.com.	IN	SOA	ns1.example.com. dnsadmin.example.com. (
>> 			2020022104
>> 			10800
>> 			3600
>> 			1209600
>> 			3600 )
>>
>> example.com.	IN	NS	ns1.example.com.
>> example.com.	IN	NS	ns2.example.com.
>>
>> @		IN      CDS     0 0 0 00
>> @		IN      CDNSKEY 0 3 0 AA==
>> -------- SCHNAPP --------
>>
>>
>> 21-Feb-2020 08:13:40.939 general: error: zone example.com/IN (unsigned): CDS/CDNSKEY consistency checks failed
>> 21-Feb-2020 08:13:40.939 zoneload: error: zone example.com/IN (unsigned): not loaded due to errors.
>>
>>
>> Thank you.
>>
>> Kind regards,
>> Tom
>>
>>
>>
>> On 20.02.20 19:41, Mark Andrews wrote:
>>> Tom,
>>>      I would run ‘rndc status’ or ‘dig ch txt version.bind @server’ and confirm
>>> that you have restarted named with the new code.  I’ve had hundreds of 'bug
>>> reports’ about non fixed bugs that where operators failing to restart named after
>>> installing the new version.  The new code is in 9.16.0, 9.14.11, and 9.11.16.
>>> I would check that the *only* CDS record is a deletion record is present.
>>> A CDS deletion record and a non CDS deletion record is a error.  Similarly
>>> for CDNSKEY.  A CDS/CDNSKEY deletion record and other CDS/CDNSKEY records
>>> in a RRset make no sense.  You are either deleting all DS records or replacing
>>> all the DS records with the CDS records, or generating a new set of DS records
>>> from the CDNSKEY records.  You can't do both at once.
>>> Mark
>>>> On 21 Feb 2020, at 03:54, Ondřej Surý <ondrej at isc.org> wrote:
>>>>
>>>> Hi Tom,
>>>>
>>>>> On 20 Feb 2020, at 17:42, Tom <lists at verreckte-cheib.ch> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> With 9.16.0, the CDS deletion (https://gitlab.isc.org/isc-projects/bind9/issues/1554) is still not working and is ending with the same error as bind-versions before:
>>>>>
>>>>> 20-Feb-2020 17:31:25.381 general: error: zone example.com/IN (unsigned): CDS/CDNSKEY consistency checks failed
>>>>> 20-Feb-2020 17:31:25.381 zoneload: error: zone example.com/IN (unsigned): not loaded due to errors.
>>>>>
>>>>> In which version will this issue be fixed?
>>>>
>>>> it will be included in the next version when the issue in question gets picked up by a developer,
>>>> be triaged, test written and code fixed.  I can’t really say when this will happen, our developer
>>>> resources are thin and there are more issues that require our attention.  That said - this is open
>>>> source and we happily accept external contributions in a form of merge request in our gitlab instance
>>>> (you need to ask for a permission to fork the project) or as a patch.  This seems to be fairly trivial
>>>> bug that might be a good start if anybody wants to help fix bugs in BIND 9.
>>>>
>>>> Cheers,
>>>> Ondrej
>>>> --
>>>> Ondřej Surý
>>>> ondrej at isc.org
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list