How do I insert "CDS 0 0 0 0"?

Mark Elkins mje at posix.co.za
Sun Oct 4 13:45:23 UTC 2020 

Thanks for answering on a Sunday,

Umm...

I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem 
to be very old.

In the update logs, I see....


    Notes for BIND 9.16.7
    <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25>


      New Features
      <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26>

  *

    Log when |named| adds a CDS/CDNSKEY to the zone. [GL #1748]

------------------------------------------------------------------------------------------------------------

I'm running Gentoo - and the newest version of BIND in the repository is 
bind-9.16.6-r3
Should I not be running what is one version away from the Current-Stable 
version?

The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" record.

I totally agree with ...

 > There must only be the delete cds/cdnskey records and not any other 
cds/cdnskey records.
 > Publish and delete instructions at the same time is not consistent.

I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.

Still - what does one correctly enter into a text based zone?

The text zone currently looks like...

$TTL 3600
@        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
             2020100404    ; Serial number
             3600        ; Refresh, 86400=1 day, 3600=1 hr
             1800        ; Retry after 30 mins
             604800        ; Expire after 7 days
             1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins

@        IN    A    192.96.24.5
@        IN    AAAA    2001:42a0::5
@        IN    NS    control.vweb.co.za.
@        IN    NS    secdns1.posix.co.za.
@        IN    CDS    0 0 0 00

www        IN    A    192.96.24.5
www        IN    AAAA    2001:42a0::5


On 2020/10/04 15:02, Mark Andrews wrote:
> Use up to date software.
>
> -- 
> Mark Andrews
>
>> On 4 Oct 2020, at 23:48, Mark Elkins <mje at posix.co.za> wrote:
>>
>>  What is the magic incantation to inserting a "CDS 0 0 0 0" record 
>> in BIND.
>> Version - BIND 9.16.6 (Stable Release)
>> I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
>> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
>>     contain the exact fields as shown below.
>>
>>        CDS 0 0 0 0
>>
>>        CDNSKEY 0 3 0 0
>>
>> In Knot docs...https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
>> it says...
>>
>> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
>>
>> Inhttps://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf  it says...
>>
>> A child zone can also signal to turn off DNSSEC by removing the DS 
>> record set in the parent zone.
>> In this case, the operator may publish a special CDS record which 
>> must exactly match:
>> CDS 0 0 0 00
>>
>>
>> I have a zone called "nodnssec.edu.za".
>>
>> In a text zone - if I add:-
>>
>> CDS     0 0 0 0
>>
>> I get:-   (from running: /usr/sbin/named-checkconf -z 
>> /etc/bind/named.conf | grep nodnssec)
>>
>> _default/nodnssec.edu.za/IN: bad hex encoding
>> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
>> zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za 
>> failed: bad hex encoding
>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>
>> CDS     0 0 0 00   gives me....
>>
>> _default/nodnssec.edu.za/IN: bad CDS
>> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>
>> I've also tried a null string - CDS     0 0 0 ""    - no joy.
>>
>> So what should I add?
>>
>> I've seen a record hosted by Cloudflare.... for revolution.edu.za, 
>> DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows 
>> it as...  "CDS     0 0 0 " (no digest at all).
>>
>>
>>
>>
>> -- 
>>
>> Mark James ELKINS  -  Posix Systems - (South) Africa
>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support 
>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/20622e2d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lhmccjgbccbajelm.png
Type: image/png
Size: 100339 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/20622e2d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/20622e2d/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/20622e2d/attachment-0003.png>

More information about the bind-users mailing list