Dear all,
I've been using SIG(0) successfully for some years to deal with Lets Encrypt
dns-01 challenge/response. Clients use dnssec-keygen to make themselves a
RSASHA512 key pair; I manually add that once during setup as a KEY record to
the zone using local nsupdate on the primary NS; then clients can add/remove
TXT records (etc.) as needed for certificate issuance/renewal using nsupdate
authenticated with that key, care of a "grant * selfsub * ..." update-policy.
This was working well until I upgraded to BIND 9.20. Now my clients sometimes
get SERVFAIL responses when they try to add or remove TXT records. When that
happens, BIND logs:
client @0x766a56300800 [elided]#52749: request has invalid signature: not
verified yet (NOERROR)
Generally it seems that a particular key either consistently works or
consistently doesn't work (_sometimes_ I can work around this by clearing out
the KEY records and provisioning new keys, though quite often the replacement
key also fails), though at least once I have seen a client manage to add a TXT
record and then fail to delete it again a moment later, despite being
authenticated using the same key both times. This feels a bit like it could be
a race condition, and a regression as everything was reliable prior to 9.20.
This seems to (mainly?) affect names which have more than one KEY record
(useful because these FQDNs correspond to services hosted on multiple machines,
each of which needs to go through Lets Encrypt validation in order to get its
own certificate for the shared FQDN).
My BIND is 9.20.3 from the deb.sury.org package (specifically, package versions
1:9.20.3-1+ubuntu22.04.1+deb.sury.org+1 and
1:9.20.3-1+ubuntu24.04.1+deb.sury.org+1 -- I see this on two independent name
servers, one Ubuntu 22.04 and one Ubuntu 24.04).
Any pointers or suggestions welcome; thanks.
Configuration snippet below. You can see some of the failing KEYs for real in
e.g. 'dig key _acme-challenge.gpu-pool0-list.caelumdns.cl.cam.ac.uk.'; the one
starting "AwEAAdC/34L2C" is consistently failing right now, whereas others
there are working.
Malcolm
dnssec-policy "simple" {
keys {
csk key-directory lifetime unlimited algorithm ed25519;
};
};
zone "caelumdns.cl.cam.ac.uk" {
type master;
file "/var/lib/bind/caelumdns.cl.cam.ac.uk";
allow-transfer { ... };
dnssec-policy "simple";
update-policy {
grant local-ddns zonesub ANY;
grant * selfsub * TXT PTR A AAAA MX CNAME SSHFP;
};
};
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
