Skip to content

dnssec-policy implicitly enables inline-signing

Summary

Zones with dnssec-policy seem to implicitly have inline-signing enabled.
It was indicated to me on bind-users that these settings should be independent and that this behavior is a bug: https://lists.isc.org/pipermail/bind-users/2020-March/102831.html

BIND version used

$ named -V
BIND 9.16.1 (Stable Release) <id:d497c32>
running on Linux x86_64 5.3.0-42-generic #34-Ubuntu SMP Fri Feb 28 05:49:40 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-4Ash1G/bind9-9.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 9.2.1 20191008
compiled with OpenSSL version: OpenSSL 1.1.1c  28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c  28 May 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP
$

Steps to reproduce

  • Specify dnssec-policy x but no inline-signing yes.
  • Restart/reload.

What is the current bug behavior?

The zone has inline signing enabled, without inline-signing yes in the config.

What is the expected correct behavior?

The zone should only have inline signing enabled if inline-signing yes is specified.

Relevant configuration files

zone "zone.example" {
        notify yes;
        type master;
        allow-transfer { x; };
        also-notify { x; };
        file "/var/lib/bind/dynamic/zone.example/db.zone.example";
        update-policy { grant local-ddns zonesub any; grant edit-x. zonesub any; };
        key-directory "/var/lib/bind/dynamic/zone.example";
      #  auto-dnssec maintain;
        dnssec-policy alg13-ksk-unlimited-zsk-60day;
};

Relevant logs and/or screenshots

rndc zonestatus indicates that inline signing is enabled. Also .signed and .signed.jnl files are created.

# rndc zonestatus zone.example
name: zone.example
type: master
files: /var/lib/bind/dynamic/zone.example/db.zone.example
serial: 2008092550
signed serial: 2008092553
nodes: 1
last loaded: Fri, 27 Mar 2020 09:11:29 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Fri, 27 Mar 2020 11:16:29 GMT
next resign node: zone.example/CAA
next resign time: Thu, 02 Apr 2020 04:12:40 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
#

Possible fixes

None known.
Explicitly configuring inline-signing no; crossed my mind but that does not work:

parser.c:2836: REQUIRE(obj != ((void *)0) && *obj == ((void *)0)) 
failed, back trace
#0 0x55ec613030a3 in ??
#1 0x7f598d6eda90 in ??
#2 0x7f598d77d9ba in ??
#3 0x55ec6130a23c in ??
#4 0x55ec6130f398 in ??
#5 0x55ec61323adc in ??
#6 0x55ec61324b2e in ??
#7 0x7f598d714e51 in ??
#8 0x7f598d1c2669 in ??
#9 0x7f598d0e4323 in ??
exiting (due to assertion failure)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information