All the fields must exist. NET_DNS2 is wrong. There must only be the delete cds/cdnskey records and not any other cds/cdnskey records. Publish and delete instructions at the same time is not consistent.
-- Mark Andrews > On 5 Oct 2020, at 00:02, Mark Andrews <ma...@isc.org> wrote: > Use up to date software. > > -- > Mark Andrews > >>> On 4 Oct 2020, at 23:48, Mark Elkins <m...@posix.co.za> wrote: >> What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND. >> Version - BIND 9.16.6 (Stable Release) >> I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078) >> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only >> contain the exact fields as shown below. >> >> CDS 0 0 0 0 >> >> CDNSKEY 0 3 0 0 >> >> In Knot docs... >> https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf >> it says... >> >> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually >> >> In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf >> it says... >> >> A child zone can also signal to turn off DNSSEC by removing the DS record >> set in the parent zone. >> In this case, the operator may publish a special CDS record which must >> exactly match: >> CDS 0 0 0 00 >> >> >> I have a zone called "nodnssec.edu.za". >> >> In a text zone - if I add:- >> >> CDS 0 0 0 0 >> >> I get:- (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | >> grep nodnssec) >> >> _default/nodnssec.edu.za/IN: bad hex encoding >> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding >> zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: >> bad hex encoding >> zone nodnssec.edu.za/IN: not loaded due to errors. >> >> CDS 0 0 0 00 gives me.... >> >> _default/nodnssec.edu.za/IN: bad CDS >> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed >> zone nodnssec.edu.za/IN: not loaded due to errors. >> >> I've also tried a null string - CDS 0 0 0 "" - no joy. >> >> So what should I add? >> >> I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows >> that as "CDS 0 0 0 00" and the NET_DNS2 software shows it as... "CDS >> 0 0 0 " (no digest at all). >> >> >> >> >> >> >> >> -- >> Mark James ELKINS - Posix Systems - (South) Africa >> m...@posix.co.za Tel: +27.826010496 >> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za >> >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
