<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Ugg... typo's</p>
    <p>Please read that as....</p>
    <p>So the correct format to add a "Please delete all DS records for
      my domain" is "CDS 0 0 0 00".</p>
    <div class="moz-cite-prefix">On 2020/10/04 19:12, Mark Elkins wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:bc62f53d-e2d5-26fd-2798-5238f1ec7759@posix.co.za">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p>Did some more Googling....</p>
      <p>So the correct format to add a "Please delete all CD records
        for my domain" is "CDC 0 0 0 00".</p>
      <p>However, in order to get BIND to accept this, you also have to
        have a working DNSKEY (KSK) key in the Zone... that's really
        intuitive!<br>
        To reduce code changes in my system - I also have a ZSK.<br>
        Of course there must be no other CDS keys in the zone - in spite
        of one normally doing that when one creates a KSK...<br>
      </p>
      <p>(Thinking about pushing the Start button to stop the machine -
        then again, I run Linux)<br>
      </p>
      <div class="moz-cite-prefix">On 2020/10/04 15:45, Mark Elkins
        wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:34b657d8-8a72-2901-ddca-68091600df52@posix.co.za">
        <meta http-equiv="Content-Type" content="text/html;
          charset=UTF-8">
        <p>Thanks for answering on a Sunday,</p>
        <p>Umm...</p>
        <p><img src="cid:part1.756514B7.13A062AD@posix.co.za" alt=""
            class="" width="451" height="171"></p>
        <p>I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6
          doesn't seem to be very old.<br>
        </p>
        <p>In the update logs, I see....</p>
        <h2><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25"
            moz-do-not-send="true">Notes for BIND 9.16.7</a></h2>
        <div class="section" id="new-features">
          <h3><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26"
              moz-do-not-send="true">New Features</a></h3>
          <ul class="simple">
            <li>
              <p>Log when <code class="docutils literal notranslate"><span
                    class="pre">named</span></code> adds a CDS/CDNSKEY
                to the zone. [GL #1748]</p>
            </li>
          </ul>
        </div>
        <p>------------------------------------------------------------------------------------------------------------<br>
        </p>
        <p>I'm running Gentoo - and the newest version of BIND in the
          repository is bind-9.16.6-r3<br>
          Should I not be running what is one version away from the
          Current-Stable version?<br>
        </p>
        <p>The ONLY DNSSEC type record I have in this zone is the "CDS 0
          0 0 0" record.</p>
        I totally agree with ...<br>
        <p>> There must only be the delete cds/cdnskey records and
          not any other cds/cdnskey records.<br>
          > Publish and delete instructions at the same time is not
          consistent.</p>
        <p>I'm also not surprised that NET_DNS2 is wrong. Have emailed
          the author.</p>
        <p>Still - what does one correctly enter into a text based zone?</p>
        <p>The text zone currently looks like...<br>
        </p>
        <p>$TTL 3600<br>
          @        IN    SOA    control.vweb.co.za.
          dns-admin.posix.co.za. (<br>
                      2020100404    ; Serial number<br>
                      3600        ; Refresh, 86400=1 day, 3600=1 hr<br>
                      1800        ; Retry after 30 mins<br>
                      604800        ; Expire after 7 days<br>
                      1800 )        ; Negative TTL, 21600=6 hrs, 1800=30
          mins<br>
          <br>
          @        IN    A    192.96.24.5<br>
          @        IN    AAAA    2001:42a0::5<br>
          @        IN    NS    control.vweb.co.za.<br>
          @        IN    NS    secdns1.posix.co.za.<br>
          @        IN    CDS    0 0 0 00<br>
          <br>
          www        IN    A    192.96.24.5<br>
          www        IN    AAAA    2001:42a0::5<br>
          <br>
        </p>
        <div class="moz-cite-prefix"><br>
        </div>
        <div class="moz-cite-prefix">On 2020/10/04 15:02, Mark Andrews
          wrote:<br>
        </div>
        <blockquote type="cite"
          cite="mid:EDBDFED8-AA13-4EE1-BB89-BBA42D51F3CD@isc.org">
          <meta http-equiv="content-type" content="text/html;
            charset=UTF-8">
          Use up to date software. <br>
          <br>
          <div dir="ltr">-- 
            <div>Mark Andrews</div>
          </div>
          <div dir="ltr"><br>
            <blockquote type="cite">On 4 Oct 2020, at 23:48, Mark Elkins
              <a class="moz-txt-link-rfc2396E"
                href="mailto:mje@posix.co.za" moz-do-not-send="true"><mje@posix.co.za></a>
              wrote:<br>
              <br>
            </blockquote>
          </div>
          <blockquote type="cite">
            <div dir="ltr">
              <meta http-equiv="content-type" content="text/html;
                charset=UTF-8">
              What is the magic incantation to inserting a "CDS 0 0 0 0"
              record in BIND.<br>
              Version - BIND 9.16.6 (Stable Release)<br>
              I've read RFC8070 - which says...  (<a
                class="moz-txt-link-freetext"
                href="https://tools.ietf.org/html/rfc8078"
                moz-do-not-send="true">https://tools.ietf.org/html/rfc8078</a>)<br>
              <pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf" moz-do-not-send="true">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf" moz-do-not-send="true">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...

</pre>
              <font size="-2"><span style="left: 142px; top: 613.747px;
                  font-size: 16.6667px; transform: scaleX(0.996759);">A
                  child zone can also signal to turn off DNSSEC by
                  removing the DS record set in the parent zone.</span></font><br>
              <font size="-2"><span style="left: 142px; top: 613.747px;
                  font-size: 16.6667px; transform: scaleX(0.996759);">In
                </span><span style="left: 142px; top: 635.413px;
                  font-size: 16.6667px; transform: scaleX(0.998279);">this
                  case, the operator may publish a special CDS record
                  which must exactly match:</span></font><br>
              <font size="-2"><span style="left: 142px; top: 635.413px;
                  font-size: 16.6667px; transform: scaleX(0.998279);"></span><span
                  style="left: 142px; top: 667.08px; font-size:
                  16.6667px; transform: scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
              <p><br>
              </p>
              <p>I have a zone called "nodnssec.edu.za".<br>
              </p>
              <span style="left: 142px; top: 667.08px; font-size:
                16.6667px; font-family: sans-serif; transform:
                scaleX(0.997668);"></span>
              <p>In a text zone - if I add:-</p>
              <p>CDS     0 0 0 0</p>
              <p>I get:-   (from running: /usr/sbin/named-checkconf -z
                /etc/bind/named.conf | grep nodnssec)<br>
              </p>
              <p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
                dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad
                hex encoding<br>
                zone nodnssec.edu.za/IN: loading from master file
                db.nodnssec.edu.za failed: bad hex encoding<br>
                zone nodnssec.edu.za/IN: not loaded due to errors.<br>
              </p>
              <p>CDS     0 0 0 00   gives me.... <br>
              </p>
              <p>_default/nodnssec.edu.za/IN: bad CDS<br>
                zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks
                failed<br>
                zone nodnssec.edu.za/IN: not loaded due to errors.</p>
              <p>I've also tried a null string - CDS     0 0 0 ""    -
                no joy.<br>
              </p>
              <p>So what should I add?<br>
              </p>
              <p>I've seen a record hosted by Cloudflare.... for
                revolution.edu.za, DIG shows that as "CDS     0 0 0 00"
                and the NET_DNS2 software shows it as...  "CDS     0 0 0
                " (no digest at all).</p>
              <p><br>
              </p>
              <p><br>
              </p>
              <p><br>
              </p>
              <div class="moz-signature">-- <br>
                <meta http-equiv="content-type" content="text/html;
                  charset=UTF-8">
                <title></title>
                <p>Mark James ELKINS  -  Posix Systems - (South) Africa<br>
                  <a class="moz-txt-link-abbreviated"
                    href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>      
                  Tel: <a href="tel:+27826010496"
                    moz-do-not-send="true">+27.826010496</a><br>
                  For fast, reliable, low cost Internet in ZA: <a
                    href="https://ftth.posix.co.za"
                    moz-do-not-send="true">https://ftth.posix.co.za</a><br>
                  <br>
                  <br>
                </p>
              </div>
              <span>_______________________________________________</span><br>
              <span>Please visit <a class="moz-txt-link-freetext"
                  href="https://lists.isc.org/mailman/listinfo/bind-users"
                  moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
                to unsubscribe from this list</span><br>
              <span></span><br>
              <span>ISC funds the development of this software with paid
                support subscriptions. Contact us at <a
                  class="moz-txt-link-freetext"
                  href="https://www.isc.org/contact/"
                  moz-do-not-send="true">https://www.isc.org/contact/</a>
                for more information.</span><br>
              <span></span><br>
              <span></span><br>
              <span>bind-users mailing list</span><br>
              <span><a class="moz-txt-link-abbreviated"
                  href="mailto:bind-users@lists.isc.org"
                  moz-do-not-send="true">bind-users@lists.isc.org</a></span><br>
              <span><a class="moz-txt-link-freetext"
                  href="https://lists.isc.org/mailman/listinfo/bind-users"
                  moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
            </div>
          </blockquote>
        </blockquote>
        <div class="moz-signature">-- <br>
          <meta http-equiv="content-type" content="text/html;
            charset=UTF-8">
          <title></title>
          <p>Mark James ELKINS  -  Posix Systems - (South) Africa<br>
            <a class="moz-txt-link-abbreviated"
              href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>      
            Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
            For fast, reliable, low cost Internet in ZA: <a
              href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
            <br>
            <img moz-do-not-send="false"
              src="cid:part18.324D9797.F61D2FFE@posix.co.za" alt="Posix
              Systems" class="" width="250" height="165"><img
              moz-do-not-send="false"
              src="cid:part19.3EE81B9F.1AD38D71@posix.co.za" alt="VCARD
              for MJ Elkins" title="VCARD, Scan me please!" class=""
              width="164" height="164"><br>
          </p>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/" moz-do-not-send="true">https://www.isc.org/contact/</a> for more information.


bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org" moz-do-not-send="true">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
      </blockquote>
      <div class="moz-signature">-- <br>
        <meta http-equiv="content-type" content="text/html;
          charset=UTF-8">
        <title></title>
        <p>Mark James ELKINS  -  Posix Systems - (South) Africa<br>
          <a class="moz-txt-link-abbreviated"
            href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>      
          Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
          For fast, reliable, low cost Internet in ZA: <a
            href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
          <br>
          <img moz-do-not-send="false"
            src="cid:part18.324D9797.F61D2FFE@posix.co.za" alt="Posix
            Systems" class="" width="250" height="165"><img
            moz-do-not-send="false"
            src="cid:part19.3EE81B9F.1AD38D71@posix.co.za" alt="VCARD
            for MJ Elkins" title="VCARD, Scan me please!" class=""
            width="164" height="164"><br>
        </p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.


bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
    </blockquote>
    <div class="moz-signature">-- <br>
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <title></title>
      <p>Mark James ELKINS  -  Posix Systems - (South) Africa<br>
        <a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a>       Tel: <a href="tel:+27826010496">+27.826010496</a><br>
        For fast, reliable, low cost Internet in ZA: <a
          href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
        <br>
        <img moz-do-not-send="false"
          src="cid:part18.324D9797.F61D2FFE@posix.co.za" alt="Posix
          Systems" width="250" height="165"><img moz-do-not-send="false"
          src="cid:part19.3EE81B9F.1AD38D71@posix.co.za" alt="VCARD for
          MJ Elkins" title="VCARD, Scan me please!" width="164"
          height="164"><br>
      </p>
    </div>
  </body>
</html>