Possible dnssec-signzone re-sign bug with former orphan glue
paul at cypherpunks.ca
Mon Jul 16 14:54:53 UTC 2012
When using dnssec-signzone manually to sign a zone, I think there is a
case where it does not drop the RRSIGs when I think it should. Image
that dnssec-signzone is used with the old signed zone's RRSIG/NSEC*
data, along with an updated "unsigned" zone.
Let's say we are example.com. At T=0 we have in our signed zone:
foo.example.com. IN NS ns1.foo.example.com.
foo.example.com. IN NS ns2.foo.example.com.
ns1.foo.example.com. IN A 18.104.22.168
ns2.foo.example.com. IN A 22.214.171.124
The NS RRset is signed. The A records are not.
At T=1, the delegation for foo.example.com is removed, but (to prevent
other domains depending on those name servers to not die) the A records
are retained. Since this is now orphaned glue, the A records get signed.
At T=2, the delegation for foo.example.com is restored. The input zone
for dnssec-signzone receives the RRSIGs for the A record, and it should
drop these, but instead retains them. I am not sure what happens when
they would fall below the re-sign treshold.
I believe the correct behaviour should be for dnssec-signzone to drop
the RRSIGs of the A records when the delegation got restored.
More information about the bind-users