Hi!
Today I managed that Bind 9.9.5 created a signed zone with all RRs
signed except the SOA. The private RRs showed "finshed signing". Only
after another "rndc loadkeys" also the SOA was signed.
Unfortunately I can not reproduce the problem, but I suspect it may be
related to the order how I add the zone for signing to Bind, as up to
now I sent lots of rndc commands to Bind.
Therefore I simplified my provision to only:
1. Create the keys
2. Add the zone to Bind via rndc:
zone "pernau.at" {
type slave;
file "/etc/bind/zones/p/pernau.at/pernau.at";
masters { 88.198.53.113; };
key-directory "/etc/bind/keys/p/pernau.at";
auto-dnssec maintain;
inline-signing yes;
};
Is it safe to consider that this will start the incoming zone transfer
and signing (without the need for an "rndc sign" command)?
3. Configure NSEC3:
rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at
The problem is, that the nsec3param command is received by Bind but
ignored: as you can see there is no zone_addnsec3chain() logging:
11:47:53: received control channel command 'addzone pernau.at {...}'
11:47:53: zone pernau.at added to view _default via addzone
11:47:53: received control channel command 'signing -nsec3param 1 0 10
F2195A3D604B7EC8 pernau.at'
11:47:53: zone pernau.at/IN (unsigned): Transfer started.
11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
connected using 83.136.34.28#53286
11:47:53: zone pernau.at/IN (unsigned): transferred serial 85
11:47:53: transfer of 'pernau.at/IN (unsigned)' from 88.198.53.113#53:
Transfer completed: 1 messages, 78 records, 2007 bytes, 0.033 secs
(60818 bytes/sec)
11:47:53: zone pernau.at/IN (signed): loaded serial 85
11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
11:47:53: zone pernau.at/IN (signed): receive_secure_serial: unchanged
11:47:53: zone pernau.at/IN (signed): sending notifies (serial 85)
11:47:53: zone pernau.at/IN (signed): reconfiguring zone keys
11:47:53: zone pernau.at/IN (signed): next key event: 05-Jun-2014
12:47:53.563
# rndc signing -nsec3param 1 0 10 E1BDC7F3624A9508 pernau.at
request queued
11:48:23: received control channel command 'signing -nsec3param 1 0 10
E1BDC7F3624A9508 pernau.at'
11:48:23: zone pernau.at/IN (signed):
zone_addnsec3chain(1,CREATE,10,E1BDC7F3624A9508)
11:48:23: zone pernau.at/IN (signed): sending notifies (serial 106)
As you see, only after the second "rndc signing -nsec3param" command
Bind switched to NSEC3. I think this is due to the nsec3 command is sent
immediately after the "add zone" command.
So, is this a bug in Bind or do I have to provision Bind different?
Another question: is it possible to instruct Bind to use NSEC3 from the
beginning? I read this can be done with dynamic updates, but in my setup
with inline-signing I suspect this is not possible.
Thanks
Klaus
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
