> On 25 Jan 2022, at 07:35, Mark Elkins <m...@posix.co.za> wrote: > > I've just noticed that in the last few days that "BIND 9.16.22 (Extended > Support Version) <id:59bfaba>" appears to be generating CDS records for both > KSK ***and ZSK*** records! > > Nothing on my side has been changed although I do run automated updates. I'm > on a Linux machine running Gentoo. > > $ dig DNSKEY EDU.ZA > > ; <<>> DiG 9.16.6 <<>> DNSKEY EDU.ZA > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22867 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; QUESTION SECTION: > ;EDU.ZA. IN DNSKEY > > ;; ANSWER SECTION: > EDU.ZA. 9378 IN DNSKEY 256 3 13 > U9/K052f1oBX5WYbedZhLM0jd+rNAwEYNfuRUAsf2S3U7UNaEKV2pYtM > 3dHSOdsNDiLkr0H77x9U2ZFtoN7U2A== > EDU.ZA. 9378 IN DNSKEY 256 3 13 > YPgTWLFxFXWMXlVaJB2bCA5F75l5yryFO/h9w+xXS/GfhhmvyZvh9NCv > MLPZckLRGbeZ5/BkyH9ae4X0IyzKYA== > EDU.ZA. 9378 IN DNSKEY 257 3 13 > 75OMA5R90131FVGX1QcJiCGAUboYSmazf3dPpAPL0t33YLcx7bBnio6Y > qyrR77MRVZKNpWIBLcnz7YOLWNZXmQ== > > --------------------------- > > $ dig CDS EDU.ZA > > ; <<>> DiG 9.16.6 <<>> CDS EDU.ZA > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11376 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; QUESTION SECTION: > ;EDU.ZA. IN CDS > > ;; ANSWER SECTION: > EDU.ZA. 86400 IN CDS 569 13 2 > 350F4414CB611C04AD829CD2C23A5C60296EA635BF59D7F0B44CD02F 6B396A94 > EDU.ZA. 86400 IN CDS 9355 13 2 > B0A16FBB3F5D6274665DE272FE5FF182ABC89B3072B668589E5EC6F0 513E36C9 > EDU.ZA. 86400 IN CDS 49988 13 2 > 6F99A6D6A4657F0A528AD2791B8B3E02AFB34E5DB79F5C53EA022A55 1874D40A > > These are also the values from inside my signed zone. Anyone have any > thoughts? > This is going to screw up systems that poll for CDS records.
Well CDS records are for DNSKEYs without the SEP bit are perfectly valid as the SEP bit is purely advisory and no it should screw up systems that poll for CDS records. You will however have to manage them properly in the future. You haven’t said how you are managing DNSSEC and named supports several models so it is hard to a) tell if there was a bug in our code or b) an error on your part. Assuming that you are not using dnssec-policy you should be able to use 'dnssec-settime -D sync date/offset’ on the ZSK’s to tell named to stop publishing the CDS records but remember you still need to account for the fact that they where published as you go forward. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
