bind makes RRSIG disappear?

Cathy Almond cathya at isc.org
Mon Feb 7 10:46:14 UTC 2011


Hi Gilles,

You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds "none" instead of being empty.

There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120).  It is currently under
investigation/discussion.

Many thanks for bringing this to our attention.

Cathy


On 07/02/11 07:29, Gilles Massen wrote:
> Mark,
> 
> On 02/06/2011 10:41 PM, Mark Andrews wrote:
>> Mark Andrews writes:
>>>
>>>>
>>>>> Does your configuration also have an "allow-update" setting
>>>>> (other than "none") for it, maybe only for the instance that
>>>>> is giving you trouble? In that case BIND will take it that you
>>>>> want it to do resigning as the RRSIGs approach expiry.
>>>>
>>>> The only allow-update is in the options section, and none.
>>>
>>> Get rid of the allow-update and allow the default of no acl to work.
>>
>> The test that decides that the zone may need to be re-signed doesn't
>> take the "none;" acl into account.  Currently it is
>> "if (acl != NULL || ssu != NULL)" and should become
>> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)".
> 
> Thanks, this works indeed.
> 
> This raises a few questions, as I'd really like to understand bind's
> behavior:
> 
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
> 
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
> 
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.
> 
> Best,
> Gilles
> 
> 



More information about the bind-users mailing list