SIG(0) Dynamic Update Policy not working

Mon Aug 5 06:54:41 UTC 2024

Hi,

you did not mention what version of BIND is in use or any log messages 
the server produced so we cannot be sure... but

I suspect it has to do with this release note:
https://bind9.readthedocs.io/en/v9.18.28/notes.html#security-fixes

> Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [GL #4480]

This is accompanied with a well hidden debug message (level 3):

 > request has a SIG(0) signature but its support was removed 
(CVE-2024-1975)

For SIG(0) support you need to upgrade to BIND 9.20.

Mitigating SIG(0) DoS potential required surgery to very sensitive parts 
of the code so we decided to remove support from 9.18 branch (and older) 
to minimize risk for the whole user base and keep it only in 9.20 so 
more advanced users can upgrade and still have it.

Honestly we thought that nobody is using it! What is your use-case?

Petr Špaček
Internet Systems Consortium

On 03. 08. 24 8:18, Sebastian Unger wrote:
> Hi,
> 
> I have had a DNS server with a dynamic zone that allows updates running 
> for a fair number of years. However, I discovered yesterday that this 
> setup no longer works and I cannot see anything in the documentation 
> that indicates why. Unfortunately, I did not notice when this broke, so 
> it may have been a while ago. Here's my setup:
> 
> Starting with a plain Ubuntu 24.04 server (also tried with 22.04 as well 
> as 24.04 + the ISC PPA) that has static network configuration and 
> systemd-resolved disabled plus bind9 package installed.
> 
> Config:
> /etc/bind/named.conf.options:
> 
>     options {
>         directory "/var/cache/bind";
>         dnssec-validation no;
>         listen-on { any; };
>         listen-on-v6 { none; };
>     };
> 
> 
> /etc/bind/named.conf.local:
> 
>     zone "dyn.example.com <http://dyn.example.com/>" {
>           type primary;
>           masterfile-format text;
>           check-names ignore;
>           file "/var/lib/bind/db.dyn.example.com
>     <http://db.dyn.example.com/>";
>           update-policy {
>              grant local-ddns zonesub any;
>              grant * self . any;
>           };
>     };
> 
> 
> /var/lib/bind/db.dyn.example.com <http://db.dyn.example.com/>:
> 
>     $ORIGIN .
>     $TTL 60
>     dyn.example.com <http://dyn.example.com/> IN SOA 127.0.0.1.
>     admins.example.com <http://admins.example.com/>. (2024080306 300 300
>     604800 60)
>       NS 127.0.0.1.
> 
> 
> Then I run from the command-line (better run this from an empty 
> directory or else the wild-cards may pick up the wrong files):
> 
>     dnssec-keygen -a ECDSAP384SHA384 -n host -K . -T KEY
>     test.dyn.example.com <http://test.dyn.example.com/>
>     nsupdate -4l <<<$'update add '"$(sed -e 's/ IN / 60 /'
>     ./*.key)"$'\nsend\n'
>     nsupdate -k *.private <<<$'server 127.0.0.1\nupdate add
>     test.dyn.example.com <http://test.dyn.example.com/>. 60 IN A
>     10.200.20.28\nsend\n'
> 
> 
> The first command generates a key-pair, the second uses the local 
> session key to add the public key into the zone and the last one is 
> supposed to use the newly added key to add an address.
> It is the last command that fails with "REFUSED" and I cannot figure out 
> what's wrong. I'm fairly sure nothing has changed on my end and that 
> this simplified example is a fair representation of what used to work. 
> In any case, I believe this example /should/ work according to the docs.
> 
> Any ideas?
> 
> Cheers,
> Seb
> 

-- 
Petr Špaček