Today, ISC is publishing a new beta release of BIND 9.9.0. As several new features have been added since the feature preview I posted on the occasion of the first alpha release, it would seem to be a good time for an update.
The new ‘inline-signing’ option, in combination with the ‘auto-dnssec’ option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Before now, automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone.
In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload,
named detects the incremental changes that have been made to the raw version of the zone and applies those changes to the signed version, adding signatures as needed.
A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables “bump in the wire” signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data).
Note: A known bug in this release can cause master zones that use inline-signing to lose synchronization between the signed and unsigned versions. This will be addressed in a future release; in the meantime, this feature should be considered experimental. The problem has not been seen when using inline-signing with slave zones.
Other DNSSEC improvements
The new ‘rndc signing’ command provides greater visibility and control of the automatic DNSSEC signing process. When a zone is being signed, records are inserted into the zone indicating which keys are currently in the process of signing and which have finished (this enables
named to resume the process correctly if there is a crash before the zone is fully signed). That state information is now visible:
- ‘rndc signing -list <zone>’ shows the current state of signing operations.
- ‘rndc signing -clear <key> <zone>’ or ‘rndc signing -clear all <zone>’ can be used to remove the records that say a key has finished signing. (If a key is still in the process of signing, then its record cannot be removed.)
- ‘rndc signing -nsec3param <parameters> <zone>’ or ‘rndc signing -nsec3param none <zone>’ can be used to set or remove the NSEC3 parameters for a zone. If this is used on a zone that has not yet been signed, then the specified parameters will be stored for use when the zone is signed.
Also, the new ‘dig +rrcomments’ option now provides more information about DNSKEY records, including each key’s ID, algorithm, and function within a zone (key-signing key or zone-signing key), in order to help with troubleshooting of DNSSEC problems.
- Locking performance has been improved, particularly with regard to recursive cilents; this allows better scaling with large numbers of threads.
- Slave zones are now saved in raw format by default. This can significantly reduce restart time on servers with large numbers of slave zones.
As 9.9.0b1 is vulnerable to a recently discovered security flaw, anyone beta-testing 9.9.0 should switch to 9.9.0b2.