auto-dnssec zones loose NSEC3 params when the zone journal is removed
Summary
When Bind removed the journal "journal file is out of date: removing journal file", then the zone also forgets is NSEC3 settings.
BIND version used
BIND 9.12.2-P2 <id:b2bf278>
running on Linux x86_64 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019
built by make with '--prefix=/dns/bind/9.12.2-P2' '--enable-threads' '--enable-static' '--enable-ipv6=yes' '--with-openssl=yes' '--with-gssapi=no' '--enable-rrl' 'CFLAGS=-g'
compiled by GCC 4.8.4
compiled with OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
linked to OpenSSL version: OpenSSL 1.0.2n 7 Dec 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20904
compiled with zlib version: 1.2.8
linked to zlib version: 1.2.11
threads support is enabled
I noticed this problem also with older versions, but have not tested newer versions.
Steps to reproduce
I use Bind as bump-in-the-wire signer, ie:
zone "nxdomain.at" {
type slave;
file "/tmp/nxdomain.at";
masters { 176.9.98.135; };
auto-dnssec maintain;
dnssec-dnskey-kskonly no;
inline-signing yes;
key-directory "/tmp/";
};
I do not know why, but the journal is lost quite often. I can trigger it often by retransfering the zone with "rndc retransfer":
received control channel command 'retransfer nxdomain.at'
transfer of 'nxdomain.at/IN (unsigned)' from 176.9.98.135#53: connected using 83.136.34.11#52809
zone nxdomain.at/IN (unsigned): transferred serial 2020070901
transfer of 'nxdomain.at/IN (unsigned)' from 176.9.98.135#53: Transfer status: success
transfer of 'nxdomain.at/IN (unsigned)' from 176.9.98.135#53: Transfer completed: 1 messages, 13 records, 16168 bytes, 0.025 secs (646720 bytes/sec)
zone nxdomain.at/IN (signed): journal file is out of date: removing journal file
zone nxdomain.at/IN (signed): loaded serial 2020073557
zone nxdomain.at/IN (signed): receive_secure_serial: unchanged
zone nxdomain.at/IN (signed): receive_secure_serial: unchanged
zone nxdomain.at/IN (signed): sending notifies (serial 2020073557)
What is the current bug behavior?
The problem is, that when this happens, a zone which uses NSEC3 for zone walking protections, is suddenly vulnerable to zone walking.
What is the expected correct behavior?
The nsec3 params should be recovered when the journal is broken, or should be stored in a separate file, i.e. in the keys directory.
Relevant configuration files
options {
directory "/var/cache/bind";
// Disable recursion
allow-recursion {"none";};
allow-update { none; };
recursion no;
// Allow new zones to be added via rdnc tool
allow-new-zones yes;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
// lifetime of DNSSEC signatures (RRSIGs) in days
sig-validity-interval 30;
max-journal-size 1m;
version none;
};