Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 634
    • Issues 634
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 92
    • Merge requests 92
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2931
Closed
Open
Issue created Oct 05, 2021 by JP Mens@jpmensContributor

Dynamically added CDS is deleted on signing

Summary

When a CDS record is dynamically added to a zone, BIND deletes it when it next signs the zone. The reason for my wanting to add a CDS "manually" is in order to test CDS Delete.

BIND version used

BIND 9.17.18 (Development Release) <id:1af9d8d>
running on Darwin x86_64 19.6.0 Darwin Kernel Version 19.6.0: Thu Sep 16 20:58:47 PDT 2021; root:xnu-6153.141.40.1~1/RELEASE_X86_64
built by make with  '--prefix=/usr/local/bind9git' '--with-libxml2' '--with-json-c' '--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1i/' 'LDFLAGS=-L/usr/local/Cellar/openssl@1.1/1.1.1i/lib/' 'CPPFLAGS=-I/usr/local/Cellar/openssl@1.1/1.1.1i/include/' 'PYTHON=/usr/local/bin/python3.9'
compiled by CLANG Apple LLVM 12.0.0 (clang-1200.0.32.29)
compiled with OpenSSL version: OpenSSL 1.1.1i  8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1i  8 Dec 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.42.0
linked to libnghttp2 version: 1.42.0
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /usr/local/bind9git/etc/named.conf
  rndc configuration:   /usr/local/bind9git/etc/rndc.conf
  DNSSEC root key:      /usr/local/bind9git/etc/bind.keys
  nsupdate session key: /usr/local/bind9git/var/run/named/session.key
  named PID file:       /usr/local/bind9git/var/run/named/named.pid
  named lock file:      /usr/local/bind9git/var/run/named/named.lock

Steps to reproduce

  1. Use dnssec-settime to set CDS publication time

    $ dnssec-settime -P sync now Ktcp.aa.+013+41706.
  2. Sign the zone

    $ rndc sign tcp.aa
    05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
    05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
    05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published
  3. Remove the BIND-generated CDS and sign the zone

    $ dnssec-settime -D sync now Ktcp.aa.+013+41706.
    $ rndc sign tcp.aa
    05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
    05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
    05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
  4. Manually add a Delete CDS and initiate signing

    $ nsupdate -k jp.tsig <<E
    > server ::1
    > zone tcp.aa.
    > ttl 61
    > add tcp.aa. CDS 0 0 0 00
    > send
    E
    $ rndc sign tcp.aa
  5. Observe console

    05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
    05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
    05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted

If I remove the SyncDelete setting with dnssec-settime -D sync none Ktcp.aa.+013+41706. and try to update the zone dynamically with the Delete CDS, the update failes with a REFUSED, and the console logs:

05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': update rejected: bad CDS RRset

What is the current bug behavior?

The manually added CDS record is removed from the zone.

What is the expected correct behavior?

I would expect the CDS to happily continue to exist in the zone and be signed.

Relevant configuration files

zone "tcp.aa" in {
        type primary;
        file "master/tcp.aa/tcp.aa";
        key-directory "/var/named/master/tcp.aa";
        auto-dnssec maintain;
        update-policy {
                grant "jp" zonesub ANY;
        };
};

Relevant logs and/or screenshots

05-Oct-2021 10:11:05.511 zone tcp.aa/IN: loaded serial 1
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: sending notifies (serial 1)
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:11:05.511 all zones loaded
05-Oct-2021 10:11:05.511 running
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: next key event: 05-Oct-2021 11:11:05.511
05-Oct-2021 10:11:05.540 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:11:05.556 resolver priming query complete
05-Oct-2021 10:12:16.966 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:16.966 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:16.967 Fetching tcp.aa/ECDSAP256SHA256/41706 (ZSK) from key repository.
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now published
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now active
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:16.966
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: sending notifies (serial 2)
05-Oct-2021 10:12:21.969 zone tcp.aa/IN: sending notifies (serial 3)
05-Oct-2021 10:12:50.430 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:50.430
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: sending notifies (serial 4)

05-Oct-2021 10:13:09.058 client @0x11307c168 ::1#60208 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:14:18.870 received control channel command 'reconfig'
05-Oct-2021 10:14:18.870 loading configuration from '/usr/local/etc/named-cds.conf'
05-Oct-2021 10:14:18.870 unable to open '/usr/local/bind9git/etc/bind.keys'; using built-in keys instead
05-Oct-2021 10:14:18.870 max open files (10240) is smaller than max sockets (21000)
05-Oct-2021 10:14:18.870 using default UDP/IPv4 port range: [49152, 65535]
05-Oct-2021 10:14:18.870 using default UDP/IPv6 port range: [49152, 65535]
05-Oct-2021 10:14:18.871 sizing zone task pool based on 1 zones
05-Oct-2021 10:14:18.872 using built-in root key for view _default
05-Oct-2021 10:14:18.873 not using config file logging statement for logging due to -g option
05-Oct-2021 10:14:18.873 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:14:18.873 reloading configuration succeeded
05-Oct-2021 10:14:18.874 zone tcp.aa/IN: next key event: 05-Oct-2021 11:14:18.873
05-Oct-2021 10:14:18.874 scheduled loading new zones
05-Oct-2021 10:14:18.874 any newly configured zones are now loaded
05-Oct-2021 10:14:18.874 running
05-Oct-2021 10:14:18.888 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:15:05.413 client @0x113257168 ::1#60312/key jp: updating zone 'tcp.aa/IN': update failed: update RR is outside zone (NOTZONE)
05-Oct-2021 10:15:14.306 client @0x11326f168 ::1#60312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'a.tcp.aa' A 1.1.1.1
05-Oct-2021 10:15:14.308 zone tcp.aa/IN: sending notifies (serial 5)
05-Oct-2021 10:15:23.646 client @0x112a53168 ::1#49444 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:15:27.533 client @0x113295168 ::1#49446 (a.tcp.aa): query: a.tcp.aa IN A +E(0)K (::1)
05-Oct-2021 10:15:49.902 received control channel command 'sign tcp.aa'
05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: next key event: 05-Oct-2021 11:15:49.902
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: sending notifies (serial 6)

05-Oct-2021 10:15:56.252 client @0x1132bc168 ::1#49448 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:16:46.347 client @0x113257168 ::1#53009/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 10:16:46.349 zone tcp.aa/IN: sending notifies (serial 7)
05-Oct-2021 10:16:57.813 client @0x113257168 ::1#60572 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: next key event: 05-Oct-2021 11:17:03.549
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: sending notifies (serial 8)

Related

These issues are possibly related:

  • Allow for arbitrary CDS/CDNSKEY records to be published
  • Simplify adding CDS and CDNSKEY deletion records to a inline zone
Edited Oct 06, 2021 by JP Mens
Assignee
Assign to
Time tracking