inline-signing breaks nsdiff.
Björn Persson
Bjorn at xn--rombobjrn-67a.se
Sun Oct 1 19:10:13 UTC 2023
I find that when both inline-signing and update-policy are in use, I
can't detect race conditions with the method described in RFC 2136
section 5.7, which nsdiff uses.
It seems that a serial number specified in a prerequisite of an update
is compared to the unsigned version of the zone, but the serial number
retrieved with a SOA or AXFR query is from the signed version. Thus the
update fails when BIND has renewed some RRSIG records and changed the
signed serial number.
Checking prerequisites against records that can't be looked up seems
like a bad idea to me.
In a zone that uses dnssec-policy and relies on the default value of
inline-signing, the method in RFC 2136 section 5.7 will stop working on
upgrade to BIND 9.20, as inline-signing will then be switched on by
default, if I understand correctly. I have set "inline-signing no;"
explicitly in all my zones to prevent future breakage.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signatur
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231001/67ded36d/attachment.sig>
More information about the bind-users
mailing list