Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 97
    • Merge requests 97
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #953
Closed
Open
Created Mar 21, 2019 by Sara Dickisnon@sara.dickinson

Problems signing a zone that already contains an NSEC3PARAM

Summary

While testing zone signing using NSEC3, we used a method slightly different to that documented in the ARM - we added an NSEC3PARAM directly into an unsigned zone and got BIND to load it (with 'dnssec-auto maintain;' specified in the config). BIND signed the zone, did not report an error but in some (not all) cases the resulting zone had invalid NSEC3 records.

We wanted to use the different method as it was simpler for our setup... we have subsequently used the documented method with no issues.

BIND version used

Reproduced with several versions from 9.11.2 to 9.13.7

Steps to reproduce

Zone file and named.conf attached

  1. Create signing keys in the specified directory (/usr/local/bind/etc/dnssec_keys)
  2. Use attached (trivial) zone file and named.conf and start BIND.
  3. Inspect the logs - no errors shown
  4. rndc sync -clean example.com
  5. stop BIND
  6. dnssec-verify -o example.com zones/example.com
  7. result of 5) is: dnssec-verify -o example.com etc/zones/example.com Loading zone 'example.com' from file 'etc/zones/example.com' Verifying the zone using the following algorithms: ECDSAP256SHA256. No correct ECDSAP256SHA256 signature for 55165Q1V1UD5N19L8DF1LLRNKNJMTIS6.example.com NSEC3 The zone is not fully signed for the following algorithms: ECDSAP256SHA256. dnssec-verify: fatal: DNSSEC completeness test failed.

Multiple other tests on the zone showed the same issue. Reproduced with other signing algorithms.

What is the current bug behavior?

If this method is supported, then NSEC3 records are invalid

What is the expected correct behavior?

If the method isn't supported then suggest to refuse to load the zone reporting the reason to the user.

Relevant configuration files

Files attached: named.conf example.com example.com.signed

Relevant logs and/or screenshots

Part of BIND log:

21-Mar-2019 15:01:40.201 managed-keys-zone: loaded serial 0
21-Mar-2019 15:01:40.201 zone example.com/IN: loaded serial 2007120712
21-Mar-2019 15:01:40.201 all zones loaded
21-Mar-2019 15:01:40.201 running
21-Mar-2019 15:01:40.201 zone example.com/IN: reconfiguring zone keys
21-Mar-2019 15:01:40.204 zone example.com/IN: next key event: 21-Mar-2019 16:01:40.201
21-Mar-2019 15:01:50.393 received control channel command 'sync -clear example.com'
21-Mar-2019 15:01:50.394 sync: dumping zone 'example.com/IN', removing journal file: success

Possible fixes

Assignee
Assign to
Time tracking