Skip to content

CDS and CDNSKEY DELETE records prevent (re-)loading unsigned zone

Summary

BIND does not (re-)load an unsigned zone with CDS and CDNSKEY delete records.

BIND version used

BIND 9.16.12 (Stable Release) <id:aeb943d>
running on Linux x86_64 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020
built by make with '--build=x86_64-koji-linux-gnu' '--host=x86_64-koji-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/named' '--bindir=/opt/named/bin' '--sbindir=/opt/named/sbin' '--sysconfdir=/etc' '--datadir=/opt/named/share' '--includedir=/opt/named/include' '--libdir=/opt/named/lib64' '--libexecdir=/opt/named/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/opt/named/share/man' '--infodir=/opt/named/share/info' '--exec-prefix=/opt/named' '--disable-static' '--enable-dnstap' '--disable-openssl-version-check' '--with-randomdev=/dev/urandom' '--with-pic' '--with-json-c' '--with-libtool' '--with-libxml2' '--without-lmdb' '--with-tuning=large' '--with-python' '--with-python-install-dir=/opt/named/usr/lib/python2.7/site-packages' '--with-docbook-xsl=/opt/named/share/sgml/docbook/xsl-stylesheets' '--includedir=/opt/named/include/bind9' 'build_alias=x86_64-koji-linux-gnu' 'host_alias=x86_64-koji-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/opt/named/lib64/pkgconfig:/opt/named/share/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
compiled with protobuf-c version: 1.0.2
linked to protobuf-c version: 1.0.2
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

I use BIND 9.16.12 and have a dynamic zone called badware.ch. This zone was originally DNSSEC signed using the new dnssec-policy option (See policy "test" below). I later changed it to "dnssec-policy none;". This published CDS and CDNSKEY DELETE records. Meanwhile all DNSSEC records are gone but the CDS and CDNSKEY DELETE records remain and eventually ended up in the unsigned zone file:

cat badware.ch
$ORIGIN .
$TTL 3600	; 1 hour
badware.ch		IN SOA	scsnms.switch.ch. dns-operation.switch.ch. (
				52         ; serial
				3600       ; refresh (1 hour)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				15         ; minimum (15 seconds)
				)
			NS	ns2.switch.ch.
			NS	scsnms.switch.ch.
			CDS	0 0 0 (
				00 )
			CDNSKEY	0 3 0 (
				AA==
				) ; ZSK; alg = 0 ; key id = 768
$ORIGIN badware.ch.
$TTL 60	; 1 minute
www			CNAME	www.switch.ch.

What is the current bug behavior?

If I manually make changes to the zone file or restart BIND, the zone fails to load. named-checkconf complains as following:

named-checkconf: zone badware.ch/IN: CDS/CDNSKEY consistency checks failed
named-checkconf: zone badware.ch/IN: not loaded due to errors.
named-checkconf: _default/badware.ch/IN: bad CDS

I can temporarily resolve this by removing the CDS and CDNSKEY records from the zone file. However, they re-appear. I guess, I should have told BIND that the previous used key has been withdrawn (I can't remember if I did this).

What is the expected correct behavior?

It looks to me that the CDS and CDNSKEY records should have been removed by BIND at the same time all other DNSSEC records were removed. I believe that this would have prevented this error in the first place.

Maybe, this issue is related to #1563

Relevant configuration files

dnssec-policy "test" {
    // Keys
    keys {
        csk key-directory lifetime 4d algorithm 13;
    };

    // Key timings
    dnskey-ttl 3600;
    publish-safety 1h;
    retire-safety 1h;

    // Signature Validity
    signatures-refresh P1D;

    // Zone parameters
    max-zone-ttl 3600;
    zone-propagation-delay 300;

    // Parent parameters
    parent-ds-ttl 1h;
    parent-propagation-delay 1h;
};

zone "badware.ch" {
    type master;
    dnssec-policy none;
    key-directory "/etc/bind/inline-signing-keys";
    file "dynamic/badware.ch";
};

Relevant logs and/or screenshots

Previously used keys which were retired long ago (I believe):

rndc dnssec -status badware.ch
dnssec-policy: none
current time:  Mon Feb 22 19:29:39 2021

key: 54874 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 21327 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             unretentive
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 60492 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             unretentive
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 57028 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             unretentive
  - zone rrsig:     hidden
  - key rrsig:      hidden
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information