<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks for answering on a Sunday,</p>
<p>Umm...</p>
<p><img src="cid:part1.43B5E4DA.1B5CD488@posix.co.za" alt=""
width="451" height="171"></p>
<p>I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't
seem to be very old.<br>
</p>
<p>In the update logs, I see....</p>
<h2><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25">Notes
for BIND 9.16.7</a></h2>
<div class="section" id="new-features">
<h3><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26">New
Features</a></h3>
<ul class="simple">
<li>
<p>Log when <code class="docutils literal notranslate"><span
class="pre">named</span></code> adds a CDS/CDNSKEY to
the zone. [GL #1748]</p>
</li>
</ul>
</div>
<p>------------------------------------------------------------------------------------------------------------<br>
</p>
<p>I'm running Gentoo - and the newest version of BIND in the
repository is bind-9.16.6-r3<br>
Should I not be running what is one version away from the
Current-Stable version?<br>
</p>
<p>The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0
0" record.</p>
I totally agree with ...<br>
<p>> There must only be the delete cds/cdnskey records and not
any other cds/cdnskey records.<br>
> Publish and delete instructions at the same time is not
consistent.</p>
<p>I'm also not surprised that NET_DNS2 is wrong. Have emailed the
author.</p>
<p>Still - what does one correctly enter into a text based zone?</p>
<p>The text zone currently looks like...<br>
</p>
<p>$TTL 3600<br>
@ IN SOA control.vweb.co.za. dns-admin.posix.co.za. (<br>
2020100404 ; Serial number<br>
3600 ; Refresh, 86400=1 day, 3600=1 hr<br>
1800 ; Retry after 30 mins<br>
604800 ; Expire after 7 days<br>
1800 ) ; Negative TTL, 21600=6 hrs, 1800=30
mins<br>
<br>
@ IN A 192.96.24.5<br>
@ IN AAAA 2001:42a0::5<br>
@ IN NS control.vweb.co.za.<br>
@ IN NS secdns1.posix.co.za.<br>
@ IN CDS 0 0 0 00<br>
<br>
www IN A 192.96.24.5<br>
www IN AAAA 2001:42a0::5<br>
<br>
</p>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2020/10/04 15:02, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EDBDFED8-AA13-4EE1-BB89-BBA42D51F3CD@isc.org">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Use up to date software. <br>
<br>
<div dir="ltr">--
<div>Mark Andrews</div>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On 4 Oct 2020, at 23:48, Mark Elkins
<a class="moz-txt-link-rfc2396E" href="mailto:mje@posix.co.za"><mje@posix.co.za></a> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
What is the magic incantation to inserting a "CDS 0 0 0 0"
record in BIND.<br>
Version - BIND 9.16.6 (Stable Release)<br>
I've read RFC8070 - which says... (<a
class="moz-txt-link-freetext"
href="https://tools.ietf.org/html/rfc8078"
moz-do-not-send="true">https://tools.ietf.org/html/rfc8078</a>)<br>
<pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf" moz-do-not-send="true">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf" moz-do-not-send="true">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...
</pre>
<font size="-2"><span style="left: 142px; top: 613.747px;
font-size: 16.6667px; transform: scaleX(0.996759);">A
child zone can also signal to turn off DNSSEC by removing
the DS record set in the parent zone.</span></font><br>
<font size="-2"><span style="left: 142px; top: 613.747px;
font-size: 16.6667px; transform: scaleX(0.996759);">In </span><span
style="left: 142px; top: 635.413px; font-size: 16.6667px;
transform: scaleX(0.998279);">this case, the operator may
publish a special CDS record which must exactly match:</span></font><br>
<font size="-2"><span style="left: 142px; top: 635.413px;
font-size: 16.6667px; transform: scaleX(0.998279);"></span><span
style="left: 142px; top: 667.08px; font-size: 16.6667px;
transform: scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
<p><br>
</p>
<p>I have a zone called "nodnssec.edu.za".<br>
</p>
<span style="left: 142px; top: 667.08px; font-size: 16.6667px;
font-family: sans-serif; transform: scaleX(0.997668);"></span>
<p>In a text zone - if I add:-</p>
<p>CDS 0 0 0 0</p>
<p>I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)<br>
</p>
<p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex
encoding<br>
zone nodnssec.edu.za/IN: loading from master file
db.nodnssec.edu.za failed: bad hex encoding<br>
zone nodnssec.edu.za/IN: not loaded due to errors.<br>
</p>
<p>CDS 0 0 0 00 gives me.... <br>
</p>
<p>_default/nodnssec.edu.za/IN: bad CDS<br>
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks
failed<br>
zone nodnssec.edu.za/IN: not loaded due to errors.</p>
<p>I've also tried a null string - CDS 0 0 0 "" - no
joy.<br>
</p>
<p>So what should I add?<br>
</p>
<p>I've seen a record hosted by Cloudflare.... for
revolution.edu.za, DIG shows that as "CDS 0 0 0 00" and
the NET_DNS2 software shows it as... "CDS 0 0 0 " (no
digest at all).</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
<span>_______________________________________________</span><br>
<span>Please visit
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list</span><br>
<span></span><br>
<span>ISC funds the development of this software with paid
support subscriptions. Contact us at
<a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.</span><br>
<span></span><br>
<span></span><br>
<span>bind-users mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
</div>
</blockquote>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part12.9F2179B7.16C9CAE9@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part13.F16F8183.D1AD539F@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>