Cannot change max-zone-ttl for dnssec-policy insecure
Summary
The insecure DNSSEC policy cannot be successfully applied to a zone that contains TTLs larger than 1 day (86400). The zone will not be loaded due to the max-zone-ttl of P1D that apparently is part of the insecure policy.
BIND version used
BIND 9.16.37-Debian (Extended Support Version) <id:2b2afb2>
running on Linux x86_64 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-t8MKLi/bind9-9.16.37=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.1 20210110
compiled with OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIPSteps to reproduce
Change the configuration to apply dnssec-policy insecure; instead of a previous DNSSEC policy to a zone that has TTLs higher than 1 day.
What is the current bug behavior?
Zone is not loaded due to the offending TTL.
What is the expected correct behavior?
Either max-zone-ttl unlimited; should apply to dnssec-policy insecure;, or there needs to be a way to configure max-zone-ttl for the insecure policy.
Relevant configuration files
zone "5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa" {
type master;
file "pri/2001.470.28.d85.rev";
dnssec-policy insecure;
inline-signing yes;
parental-agents {
"8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa";
};
notify yes;
allow-transfer {
"allow-transfer";
};
};Relevant logs and/or screenshots
KSK seen withdrawn here, dnssec-policy insecure; has already been applied:
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): reconfiguring zone keys
Apr 21 10:33:46 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK)
Apr 21 10:33:46 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/45816 (ZSK)
Apr 21 10:33:46 grendel named[2305]: DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK) is now inactive
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): next key event: 21-Apr-2023 11:33:46.003
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: empty DS response from 216.218.130.2#53
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: empty DS response from 216.66.1.2#53
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: empty DS response from 216.218.131.2#53
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: empty DS response from 216.218.132.2#53
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: empty DS response from 216.66.80.18#53
Apr 21 10:33:46 grendel named[2305]: keymgr: checkds DS for key 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 seen withdrawn at Fri Apr 21 10:33:46 2023
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): reconfiguring zone keys
Apr 21 10:33:46 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK)
Apr 21 10:33:46 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/45816 (ZSK)
Apr 21 10:33:46 grendel named[2305]: DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK) is now inactive
Apr 21 10:33:46 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): next key event: 22-Apr-2023 12:33:46.583Everything is still working here:
Apr 21 11:53:26 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: set 5 parentals
Apr 21 11:53:26 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): reconfiguring zone keys
Apr 21 11:53:26 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK)
Apr 21 11:53:26 grendel named[2305]: keymgr: retire DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/45816 (ZSK)
Apr 21 11:53:26 grendel named[2305]: DNSKEY 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/RSASHA256/22324 (KSK) is now inactive
Apr 21 11:53:26 grendel named[2305]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): next key event: 22-Apr-2023 12:33:46.725Restarting here:
Apr 21 23:37:41 grendel named[2305]: received control channel command 'stop'
Apr 21 23:37:41 grendel named[2305]: no longer listening on 127.0.0.1#53
Apr 21 23:37:41 grendel named[2305]: no longer listening on <IPv4>#53
Apr 21 23:37:41 grendel named[2305]: no longer listening on ::1#53
Apr 21 23:37:41 grendel named[2305]: no longer listening on <Global IPv6>#53
Apr 21 23:37:41 grendel named[2305]: no longer listening on <Link Local IPv6>%2#53
Apr 21 23:37:41 grendel named[2305]: shutting down: flushing changes
Apr 21 23:37:41 grendel named[2305]: stopping command channel on 127.0.0.1#953
Apr 21 23:37:41 grendel named[2305]: exiting
Apr 21 23:37:41 grendel named[137244]: starting BIND 9.16.37-Debian (Extended Support Version) <id:2b2afb2>With the restart, signed versions of zones failed to load due to DNSKEY records unexpectedly now having a TTL of 7 days:
Apr 21 23:37:41 grendel named[137244]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): checkds: set 5 parentals
Apr 21 23:37:41 grendel named[137244]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (unsigned): loaded serial 2021091700
Apr 21 23:37:41 grendel named[137244]: dns_master_load: TTL 604800 exceeds configured max-zone-ttl 86400
Apr 21 23:37:41 grendel named[137244]: dns_master_load: out of range
Apr 21 23:37:41 grendel named[137244]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): loading from master file pri/2001.470.28.d85.rev.signed failed: out of range
Apr 21 23:37:41 grendel named[137244]: zone 5.8.d.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN (signed): not loaded due to errors.