How do I insert "CDS 0 0 0 0"? *** SOLVED ***
Mark Elkins
mje at posix.co.za
Sun Oct 4 17:12:55 UTC 2020
Did some more Googling....
So the correct format to add a "Please delete all CD records for my
domain" is "CDC 0 0 0 00".
However, in order to get BIND to accept this, you also have to have a
working DNSKEY (KSK) key in the Zone... that's really intuitive!
To reduce code changes in my system - I also have a ZSK.
Of course there must be no other CDS keys in the zone - in spite of one
normally doing that when one creates a KSK...
(Thinking about pushing the Start button to stop the machine - then
again, I run Linux)
On 2020/10/04 15:45, Mark Elkins wrote:
>
> Thanks for answering on a Sunday,
>
> Umm...
>
> I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem
> to be very old.
>
> In the update logs, I see....
>
>
> Notes for BIND 9.16.7
> <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25>
>
>
> New Features
> <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26>
>
> *
>
> Log when |named| adds a CDS/CDNSKEY to the zone. [GL #1748]
>
> ------------------------------------------------------------------------------------------------------------
>
> I'm running Gentoo - and the newest version of BIND in the repository
> is bind-9.16.6-r3
> Should I not be running what is one version away from the
> Current-Stable version?
>
> The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0"
> record.
>
> I totally agree with ...
>
> > There must only be the delete cds/cdnskey records and not any other
> cds/cdnskey records.
> > Publish and delete instructions at the same time is not consistent.
>
> I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.
>
> Still - what does one correctly enter into a text based zone?
>
> The text zone currently looks like...
>
> $TTL 3600
> @ IN SOA control.vweb.co.za. dns-admin.posix.co.za. (
> 2020100404 ; Serial number
> 3600 ; Refresh, 86400=1 day, 3600=1 hr
> 1800 ; Retry after 30 mins
> 604800 ; Expire after 7 days
> 1800 ) ; Negative TTL, 21600=6 hrs, 1800=30 mins
>
> @ IN A 192.96.24.5
> @ IN AAAA 2001:42a0::5
> @ IN NS control.vweb.co.za.
> @ IN NS secdns1.posix.co.za.
> @ IN CDS 0 0 0 00
>
> www IN A 192.96.24.5
> www IN AAAA 2001:42a0::5
>
>
> On 2020/10/04 15:02, Mark Andrews wrote:
>> Use up to date software.
>>
>> --
>> Mark Andrews
>>
>>> On 4 Oct 2020, at 23:48, Mark Elkins <mje at posix.co.za> wrote:
>>>
>>> What is the magic incantation to inserting a "CDS 0 0 0 0" record
>>> in BIND.
>>> Version - BIND 9.16.6 (Stable Release)
>>> I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078)
>>> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
>>> contain the exact fields as shown below.
>>>
>>> CDS 0 0 0 0
>>>
>>> CDNSKEY 0 3 0 0
>>>
>>> In Knot docs...https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
>>> it says...
>>>
>>> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
>>>
>>> Inhttps://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...
>>>
>>> A child zone can also signal to turn off DNSSEC by removing the DS
>>> record set in the parent zone.
>>> In this case, the operator may publish a special CDS record which
>>> must exactly match:
>>> CDS 0 0 0 00
>>>
>>>
>>> I have a zone called "nodnssec.edu.za".
>>>
>>> In a text zone - if I add:-
>>>
>>> CDS 0 0 0 0
>>>
>>> I get:- (from running: /usr/sbin/named-checkconf -z
>>> /etc/bind/named.conf | grep nodnssec)
>>>
>>> _default/nodnssec.edu.za/IN: bad hex encoding
>>> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
>>> zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za
>>> failed: bad hex encoding
>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>
>>> CDS 0 0 0 00 gives me....
>>>
>>> _default/nodnssec.edu.za/IN: bad CDS
>>> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>
>>> I've also tried a null string - CDS 0 0 0 "" - no joy.
>>>
>>> So what should I add?
>>>
>>> I've seen a record hosted by Cloudflare.... for revolution.edu.za,
>>> DIG shows that as "CDS 0 0 0 00" and the NET_DNS2 software shows
>>> it as... "CDS 0 0 0 " (no digest at all).
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Mark James ELKINS - Posix Systems - (South) Africa
>>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> --
>
> Mark James ELKINS - Posix Systems - (South) Africa
> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> Posix SystemsVCARD for MJ Elkins
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/896acb8b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lhmccjgbccbajelm.png
Type: image/png
Size: 100339 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/896acb8b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/896acb8b/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/896acb8b/attachment-0003.png>
More information about the bind-users
mailing list