Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 525
    • Issues 525
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 95
    • Merge requests 95
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #2725
Closed
Open
Created May 26, 2021 by Michel Lespinasse@lespinasse

inline signed zone changes NSEC3PARAM salt on every server restart

Summary

I noticed that, on every bind9 server restart, all my dnssec inline signed zones get assigned new NSEC3PARAM salts, and hence get re-signed and their serial numbers incremented.

This is not necessarily incorrect, but "seems wrong" - the server seems to take care to avoid unnecessary mass-signing in other places. This also has impact on secondary zone servers which may have to reload my zones, even when I did no meaningful changes to them (for example, the server restart might be due to rebooting the machine for a totally unrelated reason).

BIND version used

Using the debian buster-backports package, version 1:9.16.15-1~bpo10+1

This also happened on the previous buster-backports package version, which was based on bind9 version 9.16.13 (I just had not noticed before).

Steps to reproduce

This server has multiple zones with type master and dnssec-policy "secure"; my dnssec-policy is defined as follows:

dnssec-policy "secure" {
        dnskey-ttl 3h;
        keys {
                ksk lifetime unlimited algorithm ecdsap256sha256;
                zsk lifetime 4w algorithm ecdsap256sha256;
        };
        nsec3param;
        publish-safety 12h;
        retire-safety 12h;
        purge-keys 8w;
        signatures-refresh 3w;
        signatures-validity 4w;
        signatures-validity-dnskey 4w;
};

What is the current bug behavior?

Server restarts cause all zones to be re-signed:

zone lespinasse.org/IN/public (signed): generated salt: A960ABC630199BE5
zone lespinasse.org/IN/public (unsigned): loaded serial 2021052801
zone lespinasse.org/IN/public (signed): loaded serial 2021052818 (DNSSEC signed)
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): zone_addnsec3chain(1,REMOVE|NONSEC,5,C739A8190008A3A9)
zone lespinasse.org/IN/public (signed): zone_addnsec3chain(1,CREATE,5,A960ABC630199BE5)
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): sending notifies (serial 2021052820)
zone lespinasse.org/IN/public (signed): reconfiguring zone keys
CDS for key lespinasse.org/ECDSAP256SHA256/34562 is now published
CDNSKEY for key lespinasse.org/ECDSAP256SHA256/34562 is now published
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): next key event: 26-May-2021 17:11:23.027
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
[ .... above update_soa_serial line repeated many times .... ]
zone lespinasse.org/IN/public (signed): sending notifies (serial 2021052829)

What is the expected correct behavior?

Load the zone, noticed the (unsigned, text format) version has not changed, don't re-sign anything.

Relevant configuration files

Relevant logs and/or screenshots

I hope I provided enough detail above, I can add more on request.

Edited May 26, 2021 by Michel Lespinasse
Assignee
Assign to
Time tracking