Dynamically added CDS is deleted on signing

Summary

When a CDS record is dynamically added to a zone, BIND deletes it when it next signs the zone. The reason for my wanting to add a CDS "manually" is in order to test CDS Delete.

BIND version used

BIND 9.17.18 (Development Release) <id:1af9d8d>
running on Darwin x86_64 19.6.0 Darwin Kernel Version 19.6.0: Thu Sep 16 20:58:47 PDT 2021; root:xnu-6153.141.40.1~1/RELEASE_X86_64
built by make with  '--prefix=/usr/local/bind9git' '--with-libxml2' '--with-json-c' '--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1i/' 'LDFLAGS=-L/usr/local/Cellar/openssl@1.1/1.1.1i/lib/' 'CPPFLAGS=-I/usr/local/Cellar/openssl@1.1/1.1.1i/include/' 'PYTHON=/usr/local/bin/python3.9'
compiled by CLANG Apple LLVM 12.0.0 (clang-1200.0.32.29)
compiled with OpenSSL version: OpenSSL 1.1.1i  8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1i  8 Dec 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.42.0
linked to libnghttp2 version: 1.42.0
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /usr/local/bind9git/etc/named.conf
  rndc configuration:   /usr/local/bind9git/etc/rndc.conf
  DNSSEC root key:      /usr/local/bind9git/etc/bind.keys
  nsupdate session key: /usr/local/bind9git/var/run/named/session.key
  named PID file:       /usr/local/bind9git/var/run/named/named.pid
  named lock file:      /usr/local/bind9git/var/run/named/named.lock

Steps to reproduce

1. Use dnssec-settime to set CDS publication time

   $ dnssec-settime -P sync now Ktcp.aa.+013+41706.

2. Sign the zone

   $ rndc sign tcp.aa

   05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
   05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
   05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published

3. Remove the BIND-generated CDS and sign the zone

   $ dnssec-settime -D sync now Ktcp.aa.+013+41706.
   $ rndc sign tcp.aa

   05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
   05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
   05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted

4. Manually add a Delete CDS and initiate signing

   $ nsupdate -k jp.tsig <<E
   > server ::1
   > zone tcp.aa.
   > ttl 61
   > add tcp.aa. CDS 0 0 0 00
   > send
   E
   $ rndc sign tcp.aa

5. Observe console

   05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
   05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
   05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted

If I remove the SyncDelete setting with dnssec-settime -D sync none Ktcp.aa.+013+41706. and try to update the zone dynamically with the Delete CDS, the update failes with a REFUSED, and the console logs:

05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': update rejected: bad CDS RRset

What is the current bug behavior?

The manually added CDS record is removed from the zone.

What is the expected correct behavior?

I would expect the CDS to happily continue to exist in the zone and be signed.

Relevant configuration files

zone "tcp.aa" in {
        type primary;
        file "master/tcp.aa/tcp.aa";
        key-directory "/var/named/master/tcp.aa";
        auto-dnssec maintain;
        update-policy {
                grant "jp" zonesub ANY;
        };
};

Relevant logs and/or screenshots

05-Oct-2021 10:11:05.511 zone tcp.aa/IN: loaded serial 1
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: sending notifies (serial 1)
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:11:05.511 all zones loaded
05-Oct-2021 10:11:05.511 running
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: next key event: 05-Oct-2021 11:11:05.511
05-Oct-2021 10:11:05.540 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:11:05.556 resolver priming query complete
05-Oct-2021 10:12:16.966 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:16.966 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:16.967 Fetching tcp.aa/ECDSAP256SHA256/41706 (ZSK) from key repository.
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now published
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now active
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:16.966
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: sending notifies (serial 2)
05-Oct-2021 10:12:21.969 zone tcp.aa/IN: sending notifies (serial 3)
05-Oct-2021 10:12:50.430 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:50.430
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: sending notifies (serial 4)

05-Oct-2021 10:13:09.058 client @0x11307c168 ::1#60208 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:14:18.870 received control channel command 'reconfig'
05-Oct-2021 10:14:18.870 loading configuration from '/usr/local/etc/named-cds.conf'
05-Oct-2021 10:14:18.870 unable to open '/usr/local/bind9git/etc/bind.keys'; using built-in keys instead
05-Oct-2021 10:14:18.870 max open files (10240) is smaller than max sockets (21000)
05-Oct-2021 10:14:18.870 using default UDP/IPv4 port range: [49152, 65535]
05-Oct-2021 10:14:18.870 using default UDP/IPv6 port range: [49152, 65535]
05-Oct-2021 10:14:18.871 sizing zone task pool based on 1 zones
05-Oct-2021 10:14:18.872 using built-in root key for view _default
05-Oct-2021 10:14:18.873 not using config file logging statement for logging due to -g option
05-Oct-2021 10:14:18.873 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:14:18.873 reloading configuration succeeded
05-Oct-2021 10:14:18.874 zone tcp.aa/IN: next key event: 05-Oct-2021 11:14:18.873
05-Oct-2021 10:14:18.874 scheduled loading new zones
05-Oct-2021 10:14:18.874 any newly configured zones are now loaded
05-Oct-2021 10:14:18.874 running
05-Oct-2021 10:14:18.888 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:15:05.413 client @0x113257168 ::1#60312/key jp: updating zone 'tcp.aa/IN': update failed: update RR is outside zone (NOTZONE)
05-Oct-2021 10:15:14.306 client @0x11326f168 ::1#60312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'a.tcp.aa' A 1.1.1.1
05-Oct-2021 10:15:14.308 zone tcp.aa/IN: sending notifies (serial 5)
05-Oct-2021 10:15:23.646 client @0x112a53168 ::1#49444 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:15:27.533 client @0x113295168 ::1#49446 (a.tcp.aa): query: a.tcp.aa IN A +E(0)K (::1)
05-Oct-2021 10:15:49.902 received control channel command 'sign tcp.aa'
05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: next key event: 05-Oct-2021 11:15:49.902
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: sending notifies (serial 6)

05-Oct-2021 10:15:56.252 client @0x1132bc168 ::1#49448 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:16:46.347 client @0x113257168 ::1#53009/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 10:16:46.349 zone tcp.aa/IN: sending notifies (serial 7)
05-Oct-2021 10:16:57.813 client @0x113257168 ::1#60572 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: next key event: 05-Oct-2021 11:17:03.549
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: sending notifies (serial 8)

Related

These issues are possibly related:

• Allow for arbitrary CDS/CDNSKEY records to be published
• Simplify adding CDS and CDNSKEY deletion records to a inline zone