Zone not signed nor loaded with NSEC3
Scenario I (what works):
(1) I configure options inline-signing
, auto-dnssec: maintain
, key-directory
.
(2) I create a pair of keys with dnssec-keygen
.
(3) I put the resulting DNSKEY records into the unsigned zone file.
(4) I start Bind.
The result: the zone is signed with NSEC chain and published. (Further DDNS updates are processed including NSECs and RRSIGs reconstruction.)
Scenario II (what does not work):
The same, but in step (3), I also add a NSEC3PARAM record to the unsigned zone file.
Expected:
After startup, Bind should sign the zone with NSEC3 chain and publish it.
Observed:
(a) Bind does not sign the zone. Not even with NSECs. The file example.com.zone.signed
does not appear.
(b) Bind does not publish the zone at all. All queries are responded with SERVFAIL.
(c) A log message says "all zones loaded", which is untrue according to (b).
(d) The only log message possibly indicating any problem says "signed dynamic zone has no resign event scheduled", which gives no clue of what happened.
I consider ALL of these four points (a) - (d) bugs.
Workaround:
Let Bind start with NSEC chain with Scenario I, and after Bind starts up, perform NSEC -> NSEC3 transition with rndc signing -nsec3param 1 0 10 <salt> example.com.
. However, I don't like this because I want to avoid publishing the zone with NSECs for any second.
Note:
My observations differ from #953 (closed)
Bind9 version:
starting BIND 9.11.3-1ubuntu1.11-Ubuntu (Extended Support Version) <id:a375815> \
running on Linux x86_64 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 \
built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--without-lmdb' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--with-eddsa=no' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-uW3Pyl/bind9-9.11.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'