On 01. 10. 23 21:10, Björn Persson wrote:
I find that when both inline-signing and update-policy are in use, I
can't detect race conditions with the method described in RFC 2136
section 5.7, which nsdiff uses.
It seems that a serial number specified in a prerequisite of an update
is compared to the unsigned version of the zone, but the serial number
retrieved with a SOA or AXFR query is from the signed version. Thus the
update fails when BIND has renewed some RRSIG records and changed the
signed serial number.
Checking prerequisites against records that can't be looked up seems
like a bad idea to me.
In a zone that uses dnssec-policy and relies on the default value of
inline-signing, the method in RFC 2136 section 5.7 will stop working on
upgrade to BIND 9.20, as inline-signing will then be switched on by
default, if I understand correctly. I have set "inline-signing no;"
explicitly in all my zones to prevent future breakage.
I can see what you mean. Please open an issue in our Gitlab:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new
... and we will discuss what can be done about it.
It would be great if you add step-by-step reproducer for the problem. It
will greatly help us to write automated test for it.
Thank you for your time.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users