Use up to date software. -- Mark Andrews
> On 4 Oct 2020, at 23:48, Mark Elkins <m...@posix.co.za> wrote: > > What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND. > Version - BIND 9.16.6 (Stable Release) > I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078) > The contents of the CDS or CDNSKEY RRset MUST contain one RR and only > contain the exact fields as shown below. > > CDS 0 0 0 0 > > CDNSKEY 0 3 0 0 > > In Knot docs... > https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf > it says... > > DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually > > In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf > it says... > > A child zone can also signal to turn off DNSSEC by removing the DS record set > in the parent zone. > In this case, the operator may publish a special CDS record which must > exactly match: > CDS 0 0 0 00 > > > I have a zone called "nodnssec.edu.za". > > In a text zone - if I add:- > > CDS 0 0 0 0 > > I get:- (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | > grep nodnssec) > > _default/nodnssec.edu.za/IN: bad hex encoding > dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding > zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: > bad hex encoding > zone nodnssec.edu.za/IN: not loaded due to errors. > > CDS 0 0 0 00 gives me.... > > _default/nodnssec.edu.za/IN: bad CDS > zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed > zone nodnssec.edu.za/IN: not loaded due to errors. > > I've also tried a null string - CDS 0 0 0 "" - no joy. > > So what should I add? > > I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows > that as "CDS 0 0 0 00" and the NET_DNS2 software shows it as... "CDS > 0 0 0 " (no digest at all). > > > > > > > > -- > Mark James ELKINS - Posix Systems - (South) Africa > m...@posix.co.za Tel: +27.826010496 > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
