Changing NSEC3PARAM clearing the Opt-Out flag does not work
Summary
When changing the NSEC3 parameters, and only clear the Opt-Out flag, named
is checking if the chain already exists. It falsely claims so.
BIND version used
9.17 (but pretty sure its also in older versions)
Steps to reproduce
- Set up a zone with inline-signing.
- Start
named
. - Run
rndc signing -nsec3param 1 1 5 -
to change to NSEC3. - Now run
rndc signing -nsec3param 1 0 5 -
to clear the Opt-Out flag.
What is the current bug behavior?
BIND 9 will keep using the NSEC3 chain with the Opt-Out flag set.
What is the expected correct behavior?
BIND 9 should rebuilt the NSEC3 chain, clearing the Opt-Out flags.
Relevant configuration files
zone "example." {
type master;
file "example.db";
inline-signing yes;
auto-dnssec maintain;
};
Relevant logs and/or screenshots
N/A
Possible fixes
The code first checks if there is a private TYPE65534 record that indicates if a NSEC3 chain is in progress. If that is not the case (because it is cleared or the chain has been completed), the code checks the NSEC3PARAM record. Since that has its flags always set to 0
the data compare matches, and the code thinks an existing chain exists.
We could check the NSEC3 chain for the Flags fields, but to make sure a complete chain exists, we should check every NSEC3 record.