How do I insert "CDS 0 0 0 0"? *** SOLVED ***
Håkan Lindqvist
h+bind at qw.se
Sun Oct 4 23:07:17 UTC 2020
I wonder if there is some fundamental confusion regarding the purpose of
CDS/CDNSKEY if it comes across as unintuitive that you need a fully
operational signed zone, including relevant DNSKEY records.
There might be room for improvement regarding what happened when this
requirement was not fulfilled (your description does not say what
exactly happened), but it's a scenario where the CDS/CDNSKEY signalling
cannot work:
CDS/CDNSKEY signals to the registry what the next entry point DNSKEY
(KSK/CSK) will be for an already signed zone.
In order for CDS/CDNSKEY to be trustable and serve any purpose, the zone
must currently be signed and validate properly, including the signature
for that CDS/CDNSKEY record.
"CDS 0 0 0 00" is no exception. The use-case for this "null" CDS record
is: my zone is currently signed and working, but I am for whatever
reason planning to stop signing the zone soon.
If something is broken in terms of signing, CDS is probably not what you
are looking for. (Either recover the breakage on your end or manage the
DS records out of band, like via a registrar control panel or API.)
If the zone was not signed in the first place, CDS serves no purpose.
Best regards,
Håkan Lindqvist
On 10/4/2020 7:19 PM, Mark Elkins wrote:
>
> Ugg... typo's
>
> Please read that as....
>
> So the correct format to add a "Please delete all DS records for my
> domain" is "CDS 0 0 0 00".
>
> On 2020/10/04 19:12, Mark Elkins wrote:
>>
>> Did some more Googling....
>>
>> So the correct format to add a "Please delete all CD records for my
>> domain" is "CDC 0 0 0 00".
>>
>> However, in order to get BIND to accept this, you also have to have a
>> working DNSKEY (KSK) key in the Zone... that's really intuitive!
>> To reduce code changes in my system - I also have a ZSK.
>> Of course there must be no other CDS keys in the zone - in spite of
>> one normally doing that when one creates a KSK...
>>
>> (Thinking about pushing the Start button to stop the machine - then
>> again, I run Linux)
>>
>> On 2020/10/04 15:45, Mark Elkins wrote:
>>>
>>> Thanks for answering on a Sunday,
>>>
>>> Umm...
>>>
>>> I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't
>>> seem to be very old.
>>>
>>> In the update logs, I see....
>>>
>>>
>>> Notes for BIND 9.16.7
>>> <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25>
>>>
>>>
>>> New Features
>>> <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26>
>>>
>>> *
>>>
>>> Log when |named| adds a CDS/CDNSKEY to the zone. [GL #1748]
>>>
>>> ------------------------------------------------------------------------------------------------------------
>>>
>>> I'm running Gentoo - and the newest version of BIND in the
>>> repository is bind-9.16.6-r3
>>> Should I not be running what is one version away from the
>>> Current-Stable version?
>>>
>>> The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0"
>>> record.
>>>
>>> I totally agree with ...
>>>
>>> > There must only be the delete cds/cdnskey records and not any
>>> other cds/cdnskey records.
>>> > Publish and delete instructions at the same time is not consistent.
>>>
>>> I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.
>>>
>>> Still - what does one correctly enter into a text based zone?
>>>
>>> The text zone currently looks like...
>>>
>>> $TTL 3600
>>> @ IN SOA control.vweb.co.za. dns-admin.posix.co.za. (
>>> 2020100404 ; Serial number
>>> 3600 ; Refresh, 86400=1 day, 3600=1 hr
>>> 1800 ; Retry after 30 mins
>>> 604800 ; Expire after 7 days
>>> 1800 ) ; Negative TTL, 21600=6 hrs, 1800=30 mins
>>>
>>> @ IN A 192.96.24.5
>>> @ IN AAAA 2001:42a0::5
>>> @ IN NS control.vweb.co.za.
>>> @ IN NS secdns1.posix.co.za.
>>> @ IN CDS 0 0 0 00
>>>
>>> www IN A 192.96.24.5
>>> www IN AAAA 2001:42a0::5
>>>
>>>
>>> On 2020/10/04 15:02, Mark Andrews wrote:
>>>> Use up to date software.
>>>>
>>>> --
>>>> Mark Andrews
>>>>
>>>>> On 4 Oct 2020, at 23:48, Mark Elkins <mje at posix.co.za> wrote:
>>>>>
>>>>> What is the magic incantation to inserting a "CDS 0 0 0 0"
>>>>> record in BIND.
>>>>> Version - BIND 9.16.6 (Stable Release)
>>>>> I've read RFC8070 - which says...
>>>>> (https://tools.ietf.org/html/rfc8078)
>>>>> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
>>>>> contain the exact fields as shown below.
>>>>>
>>>>> CDS 0 0 0 0
>>>>>
>>>>> CDNSKEY 0 3 0 0
>>>>>
>>>>> In Knot docs...https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
>>>>> it says...
>>>>>
>>>>> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
>>>>>
>>>>> Inhttps://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...
>>>>>
>>>>> A child zone can also signal to turn off DNSSEC by removing the DS
>>>>> record set in the parent zone.
>>>>> In this case, the operator may publish a special CDS record which
>>>>> must exactly match:
>>>>> CDS 0 0 0 00
>>>>>
>>>>>
>>>>> I have a zone called "nodnssec.edu.za".
>>>>>
>>>>> In a text zone - if I add:-
>>>>>
>>>>> CDS 0 0 0 0
>>>>>
>>>>> I get:- (from running: /usr/sbin/named-checkconf -z
>>>>> /etc/bind/named.conf | grep nodnssec)
>>>>>
>>>>> _default/nodnssec.edu.za/IN: bad hex encoding
>>>>> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
>>>>> zone nodnssec.edu.za/IN: loading from master file
>>>>> db.nodnssec.edu.za failed: bad hex encoding
>>>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>>>
>>>>> CDS 0 0 0 00 gives me....
>>>>>
>>>>> _default/nodnssec.edu.za/IN: bad CDS
>>>>> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
>>>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>>>
>>>>> I've also tried a null string - CDS 0 0 0 "" - no joy.
>>>>>
>>>>> So what should I add?
>>>>>
>>>>> I've seen a record hosted by Cloudflare.... for revolution.edu.za,
>>>>> DIG shows that as "CDS 0 0 0 00" and the NET_DNS2 software
>>>>> shows it as... "CDS 0 0 0 " (no digest at all).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Mark James ELKINS - Posix Systems - (South) Africa
>>>>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>>>>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>>> unsubscribe from this list
>>>>>
>>>>> ISC funds the development of this software with paid support
>>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>>>> information.
>>>>>
>>>>>
>>>>> bind-users mailing list
>>>>> bind-users at lists.isc.org
>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> --
>>>
>>> Mark James ELKINS - Posix Systems - (South) Africa
>>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>>
>>> Posix SystemsVCARD for MJ Elkins
>>>
>>>
>>> _______________________________________________
>>> Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> --
>>
>> Mark James ELKINS - Posix Systems - (South) Africa
>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>
>> Posix SystemsVCARD for MJ Elkins
>>
>>
>> _______________________________________________
>> Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
>
> Mark James ELKINS - Posix Systems - (South) Africa
> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> Posix SystemsVCARD for MJ Elkins
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/bfee8bf8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lhmccjgbccbajelm.png
Type: image/png
Size: 100339 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/bfee8bf8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/bfee8bf8/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/bfee8bf8/attachment-0003.png>
More information about the bind-users
mailing list