How do I insert "CDS 0 0 0 0"? *** SOLVED ***

Mark Elkins mje at posix.co.za
Sun Oct 4 17:19:07 UTC 2020


Ugg... typo's

Please read that as....

So the correct format to add a "Please delete all DS records for my 
domain" is "CDS 0 0 0 00".

On 2020/10/04 19:12, Mark Elkins wrote:
>
> Did some more Googling....
>
> So the correct format to add a "Please delete all CD records for my 
> domain" is "CDC 0 0 0 00".
>
> However, in order to get BIND to accept this, you also have to have a 
> working DNSKEY (KSK) key in the Zone... that's really intuitive!
> To reduce code changes in my system - I also have a ZSK.
> Of course there must be no other CDS keys in the zone - in spite of 
> one normally doing that when one creates a KSK...
>
> (Thinking about pushing the Start button to stop the machine - then 
> again, I run Linux)
>
> On 2020/10/04 15:45, Mark Elkins wrote:
>>
>> Thanks for answering on a Sunday,
>>
>> Umm...
>>
>> I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't 
>> seem to be very old.
>>
>> In the update logs, I see....
>>
>>
>>     Notes for BIND 9.16.7
>>     <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25>
>>
>>
>>       New Features
>>       <https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26>
>>
>>  *
>>
>>     Log when |named| adds a CDS/CDNSKEY to the zone. [GL #1748]
>>
>> ------------------------------------------------------------------------------------------------------------
>>
>> I'm running Gentoo - and the newest version of BIND in the repository 
>> is bind-9.16.6-r3
>> Should I not be running what is one version away from the 
>> Current-Stable version?
>>
>> The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" 
>> record.
>>
>> I totally agree with ...
>>
>> > There must only be the delete cds/cdnskey records and not any other 
>> cds/cdnskey records.
>> > Publish and delete instructions at the same time is not consistent.
>>
>> I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.
>>
>> Still - what does one correctly enter into a text based zone?
>>
>> The text zone currently looks like...
>>
>> $TTL 3600
>> @        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
>>             2020100404    ; Serial number
>>             3600        ; Refresh, 86400=1 day, 3600=1 hr
>>             1800        ; Retry after 30 mins
>>             604800        ; Expire after 7 days
>>             1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins
>>
>> @        IN    A    192.96.24.5
>> @        IN    AAAA    2001:42a0::5
>> @        IN    NS    control.vweb.co.za.
>> @        IN    NS    secdns1.posix.co.za.
>> @        IN    CDS    0 0 0 00
>>
>> www        IN    A    192.96.24.5
>> www        IN    AAAA    2001:42a0::5
>>
>>
>> On 2020/10/04 15:02, Mark Andrews wrote:
>>> Use up to date software.
>>>
>>> -- 
>>> Mark Andrews
>>>
>>>> On 4 Oct 2020, at 23:48, Mark Elkins <mje at posix.co.za> wrote:
>>>>
>>>>  What is the magic incantation to inserting a "CDS 0 0 0 0" record 
>>>> in BIND.
>>>> Version - BIND 9.16.6 (Stable Release)
>>>> I've read RFC8070 - which says...  
>>>> (https://tools.ietf.org/html/rfc8078)
>>>> The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
>>>>     contain the exact fields as shown below.
>>>>
>>>>        CDS 0 0 0 0
>>>>
>>>>        CDNSKEY 0 3 0 0
>>>>
>>>> In Knot docs...https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
>>>> it says...
>>>>
>>>> DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
>>>>
>>>> Inhttps://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf  it says...
>>>>
>>>> A child zone can also signal to turn off DNSSEC by removing the DS 
>>>> record set in the parent zone.
>>>> In this case, the operator may publish a special CDS record which 
>>>> must exactly match:
>>>> CDS 0 0 0 00
>>>>
>>>>
>>>> I have a zone called "nodnssec.edu.za".
>>>>
>>>> In a text zone - if I add:-
>>>>
>>>> CDS     0 0 0 0
>>>>
>>>> I get:-   (from running: /usr/sbin/named-checkconf -z 
>>>> /etc/bind/named.conf | grep nodnssec)
>>>>
>>>> _default/nodnssec.edu.za/IN: bad hex encoding
>>>> dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
>>>> zone nodnssec.edu.za/IN: loading from master file 
>>>> db.nodnssec.edu.za failed: bad hex encoding
>>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>>
>>>> CDS     0 0 0 00   gives me....
>>>>
>>>> _default/nodnssec.edu.za/IN: bad CDS
>>>> zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
>>>> zone nodnssec.edu.za/IN: not loaded due to errors.
>>>>
>>>> I've also tried a null string - CDS     0 0 0 ""    - no joy.
>>>>
>>>> So what should I add?
>>>>
>>>> I've seen a record hosted by Cloudflare.... for revolution.edu.za, 
>>>> DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software 
>>>> shows it as...  "CDS     0 0 0 " (no digest at all).
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>> Mark James ELKINS  -  Posix Systems - (South) Africa
>>>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>>>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>>>
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>>> unsubscribe from this list
>>>>
>>>> ISC funds the development of this software with paid support 
>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>>>> information.
>>>>
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>> -- 
>>
>> Mark James ELKINS  -  Posix Systems - (South) Africa
>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>>
>> Posix SystemsVCARD for MJ Elkins
>>
>>
>> _______________________________________________
>> Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/  for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
>
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> Posix SystemsVCARD for MJ Elkins
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ Elkins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/4114da57/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lhmccjgbccbajelm.png
Type: image/png
Size: 100339 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/4114da57/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/4114da57/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201004/4114da57/attachment-0003.png>


More information about the bind-users mailing list