How do I insert "CDS 0 0 0 0"?
Mark Elkins
mje at posix.co.za
Sun Oct 4 12:47:33 UTC 2020
What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...
A child zone can also signal to turn off DNSSEC by removing the DS
record set in the parent zone.
In this case, the operator may publish a special CDS record which must
exactly match:
CDS 0 0 0 00
I have a zone called "nodnssec.edu.za".
In a text zone - if I add:-
CDS 0 0 0 0
I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)
_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za
failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.
CDS 0 0 0 00 gives me....
_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.
I've also tried a null string - CDS 0 0 0 "" - no joy.
So what should I add?
I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG
shows that as "CDS 0 0 0 00" and the NET_DNS2 software shows it
as... "CDS 0 0 0 " (no digest at all).
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/6f604fd6/attachment.htm>
More information about the bind-users
mailing list