Problems signing a zone that already contains an NSEC3PARAM
While testing zone signing using NSEC3, we used a method slightly different to that documented in the ARM - we added an NSEC3PARAM directly into an unsigned zone and got BIND to load it (with 'dnssec-auto maintain;' specified in the config). BIND signed the zone, did not report an error but in some (not all) cases the resulting zone had invalid NSEC3 records.
We wanted to use the different method as it was simpler for our setup... we have subsequently used the documented method with no issues.
BIND version used
Reproduced with several versions from 9.11.2 to 9.13.7
Steps to reproduce
Zone file and named.conf attached
- Create signing keys in the specified directory (/usr/local/bind/etc/dnssec_keys)
- Use attached (trivial) zone file and named.conf and start BIND.
- Inspect the logs - no errors shown
- rndc sync -clean example.com
- stop BIND
- dnssec-verify -o example.com zones/example.com
- result of 5) is: dnssec-verify -o example.com etc/zones/example.com Loading zone 'example.com' from file 'etc/zones/example.com' Verifying the zone using the following algorithms: ECDSAP256SHA256. No correct ECDSAP256SHA256 signature for 55165Q1V1UD5N19L8DF1LLRNKNJMTIS6.example.com NSEC3 The zone is not fully signed for the following algorithms: ECDSAP256SHA256. dnssec-verify: fatal: DNSSEC completeness test failed.
Multiple other tests on the zone showed the same issue. Reproduced with other signing algorithms.
What is the current bug behavior?
If this method is supported, then NSEC3 records are invalid
What is the expected correct behavior?
If the method isn't supported then suggest to refuse to load the zone reporting the reason to the user.
Relevant configuration files
Relevant logs and/or screenshots
Part of BIND log:
21-Mar-2019 15:01:40.201 managed-keys-zone: loaded serial 0 21-Mar-2019 15:01:40.201 zone example.com/IN: loaded serial 2007120712 21-Mar-2019 15:01:40.201 all zones loaded 21-Mar-2019 15:01:40.201 running 21-Mar-2019 15:01:40.201 zone example.com/IN: reconfiguring zone keys 21-Mar-2019 15:01:40.204 zone example.com/IN: next key event: 21-Mar-2019 16:01:40.201 21-Mar-2019 15:01:50.393 received control channel command 'sync -clear example.com' 21-Mar-2019 15:01:50.394 sync: dumping zone 'example.com/IN', removing journal file: success