DNSSEC auto-dnssec issue bind-9.7.2-P3

Mon Jan 24 16:47:41 UTC 2011

On 24/01/11 4:08 PM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> W dniu 2011-01-24 14:34, Kalman Feher pisze:
>> I assume you did add the nsec3param record via nsupdate after adding the
>> zone? I note that there is an NSEC entry there, which is not right.
>> 
> 
> Yes, with nsupdate. and lack of NSEC3PARAM was very odd.
> 
>> Are you following this same workflow?
>> FWIW I use a script to add all my test zones from a zone template file. That
>> script automatically adds the nsec3param as soon as the zone is loaded, but
>> before it signs. That way I keep things simple and never forget to update
>> that zone before signing.
> 
> I made few more tests and what I've understand you have to have at least
> one key in 'Activate' state.
> 
> for example:
> 
> the same example zone, generated keys with future Prepublish and
> Activate event, adding NSEC3PARAM via nsupdate:
> 
> Jan 24 15:28:36 named[15837]: update: client 127.0.0.1#8917: updating
> zone 'example/IN': adding an RR at 'example' NSEC3PARAM
> Jan 24 15:28:36 named[15837]: general: zone example/IN:
> dns_zone_addnsec3chain(hash=1, iterations=12, salt=19CC44675CFB020065B1)
> Jan 24 15:28:36 named[15837]: general: zone example/IN:
> zone_addnsec3chain(1,CREATE,12,19CC44675CFB020065B1)
> 
> now I want named to read the key timings from key files so I make 'rndc
> sign example':
> 
> Jan 24 15:28:37 named[15837]: general: received control channel command
> 'sign example'
> Jan 24 15:28:37 named[15837]: general: zone example/IN: reconfiguring
> zone keys
> Jan 24 15:28:37 named[15837]: general: zone example/IN:
> zone_addnsec3chain(1,REMOVE|NONSEC,12,19CC44675CFB020065B1)
This appears to be the problem.
I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could
not replicate it. Try turning up the logging to get more information about
why the nsec3param is removed. Make sure also that your keys are nsec3
compatible and you don't have any old non nsec3 keys in the directory that
could be used to sign.

> Jan 24 15:28:37 named[15837]: general: zone example/IN: next key event:
> 24-Jan-2011 15:29:36.860
> Jan 24 15:29:36 named[15837]: general: zone example/IN: reconfiguring
> zone keys
> Jan 24 15:29:36 named[15837]: general: zone example/IN: next key event:
> 24-Jan-2011 16:29:36.886
> 
> and my NSEC3PARAM record is removed! and my question is why? why can't I
> have NSEC3PARAM record in my zone before signing it??
> 
> If I wait until 'Activate' event (16:29:36.886 - for this particular
> test) I will get strangely looking signed zone (which I attached in my
> previous emails) without my NSEC3PARAM record.
> 
> - -- 
> regards
> 
> zbigniew jasinski
> [SYStem OPerator]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJNPZXVAAoJEH26UYiRhe/gPDwP/2kxlk5ct9hpffP94tAUgx/F
> R61tr9IA1mSAkHkN6zJh7GYRgNSxllI4s+h41FXYBhlknpARdcobfm2ybdkReojm
> llaTIQtqcgh+7vRq/MK9zH3MwWglhatuQFENUwTpy38zccRwSAQhtN+XDUi2TpVq
> VS0tjpAqZb0/hpz9pb4Bxu1uNzpRUehiRcjhg0l2ocsBg/32FQ4xSDr3ViMNHgeA
> 0a+xIRkp9gK5DsUUCPlpkQBBr7ICyvl/M4t3RPUOr3zf7tzUX81TrNLF1PeHC/kh
> gR8Hz+94MceVdgVIaRNWUpj5wvYVRuz9DEdp9li124kk4hyATh+Qo1Bk1ZrreoNa
> AxqO/qVqtRz7xpRSdjvOcsNrJ7/5dJltfp/Mv7wC0xXgz/DR84xiFvpy21JAEJIa
> W0D7lCSixF3B8WV90vKevJGSCWSi0ipLANuckO4oHzhTyVk0RQmV/iGZjneWwJpV
> KJWuTSa1sffk2QXI3ikwH5WKLyKaXmOCG5ZkEmLc8OO70WSkuWlsbt2oGGRAgGVd
> b8uYtr6NrJdJBhAU5KgcEHiOY6g9Wv6ffC63XS1LMC9b/Tnp5DXHnK8VG5og6NwO
> vjgJu5SwyuijAl+VIWlnnenxNBy4vB4OSrht0sC+JvzN360/sSSLE3fzHpFwMTGq
> D1zWmxkyD645F6od2RJ/
> =iWfG
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 