Primary zone not fully maintained by BIND
Summary
Using dnssec-policy primary zone is not re-signed in time. RRSIG records expire, thus upstream servers will no longer provide answers for expired records.
BIND version used
BIND 9.16.28-RH (Extended Support Version) <id:7aea13f>
running on Linux armv7l 5.17.5-200.fc35.armv7hl #1 SMP Thu Apr 28 16:34:59 UTC 2022
built by make with '--build=armv7hl-redhat-linux-gnu' '--host=armv7hl-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--disable-lock-free-queue' '--with-maxminddb' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-gssapi=yes' '--with-lmdb=yes' '--without-libjson' '--with-json-c' '--enable-dnstap' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=armv7hl-redhat-linux-gnu' 'host_alias=armv7hl-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'LT_SYS_LIBRARY_PATH=/usr/lib:' 'PKG_CONFIG_PATH=:/usr/lib/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.2.1 20220127 (Red Hat 11.2.1-9)
compiled with OpenSSL version: OpenSSL 1.1.1n FIPS 15 Mar 2022
linked to OpenSSL version: OpenSSL 1.1.1o FIPS 3 May 2022
compiled with libuv version: 1.44.1
linked to libuv version: 1.44.1
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20914
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.6.0
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIPSteps to reproduce
Well, my primary aim has been not to reproduce the issue
What is the current bug behavior?
After initially converting an unsigned zone to a signed zone (creating keys, adding records, signing records, etc.) all looks well. However, once one of the records is approaching expiration, BIND is not taking the necessary steps to re-sign the record. rndc zonestatus reports a date in the past for next resign time:
name: penguinpee.nl
type: primary
files: primary/penguinpee.nl.zone
serial: 2022070307
nodes: 14
last loaded: Sun, 03 Jul 2022 12:28:21 GMT
secure: yes
inline signing: no
key maintenance: automatic
next key event: Tue, 05 Jul 2022 09:47:13 GMT
next resign node: penguinpee.nl/TYPE65534
next resign time: Sun, 03 Jul 2022 15:51:43 GMT
dynamic: no
reconfigurable via modzone: noWhat is the expected correct behavior?
BIND taking all necessary steps in keeping the zone up to date in accordance with configured dnssec-policy.
Relevant configuration files
named.conf:
view "internal" {
match-clients { local; };
recursion no;
allow-update { key ddns-key.penguinpee.nl; };
zone "penguinpee.nl" {
type primary;
file "primary/penguinpee.nl.internal.zone";
};
# Reverse zones omitted
};
view "external" {
match-clients { any; };
recursion no;
zone "penguinpee.nl" {
type primary;
file "primary/penguinpee.nl.zone";
allow-query { any; };
allow-transfer { transip; };
// Upstream does not accept notify
notify no;
};
# Delegated zone for certbot
zone "_acme-challenge.penguinpee.nl" {
type primary;
file "primary/_acme-challenge.penguinpee.nl.zone";
allow-query { any; };
allow-transfer { none; };
notify no;
allow-update { key certbot.penguinpee.nl; };
};
};named.policy:
dnssec-policy "penguinpee" {
// Keys
keys {
csk key-directory lifetime unlimited algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
purge-keys P90D;
// Signature timings
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Zone parameters
max-zone-ttl 86400;
zone-propagation-delay 1h;
// Parent parameters
parent-ds-ttl 86400;
parent-propagation-delay 1h;
};Relevant logs and/or screenshots
I'm currently logging at debug level 2, but the log entries are not revealing anything with respect to BIND's odd behavior. I did notice that there is an entry regarding expired records when reloading the affected zone, but no action is taken/logged to mitigate that.
Jun 21 17:26:08 anarres named[875]: general: warning: master/penguinpee.nl.blackhole.zone:15: signature has expired
Jun 25 01:15:50 anarres named[875]: general: warning: master/penguinpee.nl.zone:45: signature has expiredAbove is from before I re-arranged configuration. Zone files were stored in a different directory. The blackhole zone is for a view I created, trying to get to the bottom of the issue, but it shows exactly the same behavior as the external view shown in the configuration snippet above.
I can provide log snippets of specific events/actions if required.
Possible fixes
Early on, on the bind-users mailing list, @matthijs mentioned #2463 (closed). I did attempt , briefly, to use separate key directories, but reverted when I ran into trouble.