DNSSEC's sorted zone

Torinthiel torinthiel at data.pl
Wed Jan 12 21:37:33 UTC 2011

On 01/12/11 17:58, Mark Elkins wrote:
> Still playing with DNSSEC and signing zones.
> I'm resigning an already signed zone.
> I'm doing this on a hyper-threaded 4-core i7 (Intel(R) Core(TM) i7 CPU
> 920 @ 2.67GHz) which under linux gives me 8 cores.
> I'm using the command:
> dnssec-signzone  -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
> increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1
> example.com.signed
> A minute later - I run the same command - but output to a different
> file...   -f example.com.sign-2
> A 'diff' of the two output files gives lots of differences - apart from
> the zone creation time.
> If I include the "-n ncpus" as "-n 1" - then the files are the same
> (except for the creation time).
> I believe that the data is fundamentally the same - but it is partially
> re-ordered if there are multiple threads. This is not what I would have
> expected - having had it been drummed into me that dnssec-signzone will
> first sort the zone then generate all the RRSIG records - etc...
> I find this disturbing. It appears to only be doing this on CNAME
> records.
> In one file:
> www.access.example.com  CNAME  www.entry.example.com
> access.example.com      CNAME  entry.example.com
> In the next - their order is swapped.
> Are these differences in ordering completely ignored when BIND loads the
> file into memory?

Yes, order is completely ignored. Not only by BIND, but by ANY decent
server. Try digg'ing any zone with numerous records for an answer, and
you will get them in random order every time. It's supposed to be that
way, that's how DNS works.
If order is the only difference in those files, ignore it.

More differences would be if you'd have omitted -s and -e, as it would
put current time in the RRSIG, and as RRSIG's signature includes
validity dates as well, than signature would be totally different.
Also I haven't used -p, maybe it causes both zones to have same random
data and thus same signatures.

Besides, dnssec-signzone doesn't have to sort the zone at once.
It only has to sort zone for generating NSEC records.
All RRSIGs can be generated without sorting. Of course RRSIGs on NSEC
need NSEC, so indirectly need sorting too.
For NSEC3 (which you are using) sorting makes no sense. Signing only
needs to sort hashed names to generate NSEC3 records. No need to sort
actual records in zone.

More information about the bind-users mailing list