Skip to content

problems with CDS / CDNSKEY consistency checks

I have a test zone with alg. 8 and alg. 13 keys.

I disabled the algorithm 8 ksk:

dnssec-settime -D now -I now Kfanf2.ucam.org.+008+25474.key

I forgot to delete the CDS record and forgot the ZSK.

  • first problem: named accepted this change - the integrity checks did not work

Then named was restarted. It refused to load the zone because the consistency checks failed.

I tried to inspect the zone using named-compilezone because it is in "raw" format. This also failed because of the consistency checks.

  • second problem: named-compilezone does not have an option to disable the CDS consistency checks

  • third problem: named also does not have an option to disable the CDS consistency checks

Consequence: I was not able to fix the zone without editing BIND's source code to disable the consistency checks.

Edited by Tony Finch
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information