DNSSEC auto-dnssec issue bind-9.7.2-P3

Zbigniew Jasiński szopen at nask.pl
Mon Jan 24 15:08:05 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

W dniu 2011-01-24 14:34, Kalman Feher pisze:
> I assume you did add the nsec3param record via nsupdate after adding the
> zone? I note that there is an NSEC entry there, which is not right.
> 

Yes, with nsupdate. and lack of NSEC3PARAM was very odd.

> Are you following this same workflow?
> FWIW I use a script to add all my test zones from a zone template file. That
> script automatically adds the nsec3param as soon as the zone is loaded, but
> before it signs. That way I keep things simple and never forget to update
> that zone before signing.

I made few more tests and what I've understand you have to have at least
one key in 'Activate' state.

for example:

the same example zone, generated keys with future Prepublish and
Activate event, adding NSEC3PARAM via nsupdate:

Jan 24 15:28:36 named[15837]: update: client 127.0.0.1#8917: updating
zone 'example/IN': adding an RR at 'example' NSEC3PARAM
Jan 24 15:28:36 named[15837]: general: zone example/IN:
dns_zone_addnsec3chain(hash=1, iterations=12, salt=19CC44675CFB020065B1)
Jan 24 15:28:36 named[15837]: general: zone example/IN:
zone_addnsec3chain(1,CREATE,12,19CC44675CFB020065B1)

now I want named to read the key timings from key files so I make 'rndc
sign example':

Jan 24 15:28:37 named[15837]: general: received control channel command
'sign example'
Jan 24 15:28:37 named[15837]: general: zone example/IN: reconfiguring
zone keys
Jan 24 15:28:37 named[15837]: general: zone example/IN:
zone_addnsec3chain(1,REMOVE|NONSEC,12,19CC44675CFB020065B1)
Jan 24 15:28:37 named[15837]: general: zone example/IN: next key event:
24-Jan-2011 15:29:36.860
Jan 24 15:29:36 named[15837]: general: zone example/IN: reconfiguring
zone keys
Jan 24 15:29:36 named[15837]: general: zone example/IN: next key event:
24-Jan-2011 16:29:36.886

and my NSEC3PARAM record is removed! and my question is why? why can't I
have NSEC3PARAM record in my zone before signing it??

If I wait until 'Activate' event (16:29:36.886 - for this particular
test) I will get strangely looking signed zone (which I attached in my
previous emails) without my NSEC3PARAM record.

- -- 
regards

zbigniew jasinski
[SYStem OPerator]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNPZXVAAoJEH26UYiRhe/gPDwP/2kxlk5ct9hpffP94tAUgx/F
R61tr9IA1mSAkHkN6zJh7GYRgNSxllI4s+h41FXYBhlknpARdcobfm2ybdkReojm
llaTIQtqcgh+7vRq/MK9zH3MwWglhatuQFENUwTpy38zccRwSAQhtN+XDUi2TpVq
VS0tjpAqZb0/hpz9pb4Bxu1uNzpRUehiRcjhg0l2ocsBg/32FQ4xSDr3ViMNHgeA
0a+xIRkp9gK5DsUUCPlpkQBBr7ICyvl/M4t3RPUOr3zf7tzUX81TrNLF1PeHC/kh
gR8Hz+94MceVdgVIaRNWUpj5wvYVRuz9DEdp9li124kk4hyATh+Qo1Bk1ZrreoNa
AxqO/qVqtRz7xpRSdjvOcsNrJ7/5dJltfp/Mv7wC0xXgz/DR84xiFvpy21JAEJIa
W0D7lCSixF3B8WV90vKevJGSCWSi0ipLANuckO4oHzhTyVk0RQmV/iGZjneWwJpV
KJWuTSa1sffk2QXI3ikwH5WKLyKaXmOCG5ZkEmLc8OO70WSkuWlsbt2oGGRAgGVd
b8uYtr6NrJdJBhAU5KgcEHiOY6g9Wv6ffC63XS1LMC9b/Tnp5DXHnK8VG5og6NwO
vjgJu5SwyuijAl+VIWlnnenxNBy4vB4OSrht0sC+JvzN360/sSSLE3fzHpFwMTGq
D1zWmxkyD645F6od2RJ/
=iWfG
-----END PGP SIGNATURE-----

More information about the bind-users mailing list