Skip to content

inline signed zone changes NSEC3PARAM salt on every server restart

Summary

I noticed that, on every bind9 server restart, all my dnssec inline signed zones get assigned new NSEC3PARAM salts, and hence get re-signed and their serial numbers incremented.

This is not necessarily incorrect, but "seems wrong" - the server seems to take care to avoid unnecessary mass-signing in other places. This also has impact on secondary zone servers which may have to reload my zones, even when I did no meaningful changes to them (for example, the server restart might be due to rebooting the machine for a totally unrelated reason).

BIND version used

Using the debian buster-backports package, version 1:9.16.15-1~bpo10+1

This also happened on the previous buster-backports package version, which was based on bind9 version 9.16.13 (I just had not noticed before).

Steps to reproduce

This server has multiple zones with type master and dnssec-policy "secure"; my dnssec-policy is defined as follows:

dnssec-policy "secure" {
        dnskey-ttl 3h;
        keys {
                ksk lifetime unlimited algorithm ecdsap256sha256;
                zsk lifetime 4w algorithm ecdsap256sha256;
        };
        nsec3param;
        publish-safety 12h;
        retire-safety 12h;
        purge-keys 8w;
        signatures-refresh 3w;
        signatures-validity 4w;
        signatures-validity-dnskey 4w;
};

What is the current bug behavior?

Server restarts cause all zones to be re-signed:

zone lespinasse.org/IN/public (signed): generated salt: A960ABC630199BE5
zone lespinasse.org/IN/public (unsigned): loaded serial 2021052801
zone lespinasse.org/IN/public (signed): loaded serial 2021052818 (DNSSEC signed)
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): zone_addnsec3chain(1,REMOVE|NONSEC,5,C739A8190008A3A9)
zone lespinasse.org/IN/public (signed): zone_addnsec3chain(1,CREATE,5,A960ABC630199BE5)
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): sending notifies (serial 2021052820)
zone lespinasse.org/IN/public (signed): reconfiguring zone keys
CDS for key lespinasse.org/ECDSAP256SHA256/34562 is now published
CDNSKEY for key lespinasse.org/ECDSAP256SHA256/34562 is now published
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
zone lespinasse.org/IN/public (signed): next key event: 26-May-2021 17:11:23.027
zone lespinasse.org/IN/public (signed): update_soa_serial:new serial would be lower than old serial, using increment method instead
[ .... above update_soa_serial line repeated many times .... ]
zone lespinasse.org/IN/public (signed): sending notifies (serial 2021052829)

What is the expected correct behavior?

Load the zone, noticed the (unsigned, text format) version has not changed, don't re-sign anything.

Relevant configuration files

Relevant logs and/or screenshots

I hope I provided enough detail above, I can add more on request.

Edited by Michel Lespinasse
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information