<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
What is the magic incantation to inserting a "CDS 0 0 0 0" record in
BIND.<br>
Version - BIND 9.16.6 (Stable Release)<br>
I've read RFC8070 - which says...
(<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc8078">https://tools.ietf.org/html/rfc8078</a>)<br>
<pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...
</pre>
<font size="-2"><span style="left: 142px; top: 613.747px; font-size:
16.6667px; transform: scaleX(0.996759);">A child zone can also
signal to turn off DNSSEC by removing the DS record set in the
parent zone.</span></font><br>
<font size="-2"><span style="left: 142px; top: 613.747px; font-size:
16.6667px; transform: scaleX(0.996759);">In </span><span
style="left: 142px; top: 635.413px; font-size: 16.6667px;
transform: scaleX(0.998279);">this case, the operator may
publish a special CDS record which must exactly match:</span></font><br>
<font size="-2"><span style="left: 142px; top: 635.413px; font-size:
16.6667px; transform: scaleX(0.998279);"></span><span
style="left: 142px; top: 667.08px; font-size: 16.6667px;
transform: scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
<p><br>
</p>
<p>I have a zone called "nodnssec.edu.za".<br>
</p>
<span style="left: 142px; top: 667.08px; font-size: 16.6667px;
font-family: sans-serif; transform: scaleX(0.997668);"></span>
<p>In a text zone - if I add:-</p>
<p>CDS 0 0 0 0</p>
<p>I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)<br>
</p>
<p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex
encoding<br>
zone nodnssec.edu.za/IN: loading from master file
db.nodnssec.edu.za failed: bad hex encoding<br>
zone nodnssec.edu.za/IN: not loaded due to errors.<br>
</p>
<p>CDS 0 0 0 00 gives me.... <br>
</p>
<p>_default/nodnssec.edu.za/IN: bad CDS<br>
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed<br>
zone nodnssec.edu.za/IN: not loaded due to errors.</p>
<p>I've also tried a null string - CDS 0 0 0 "" - no joy.<br>
</p>
<p>So what should I add?<br>
</p>
<p>I've seen a record hosted by Cloudflare.... for
revolution.edu.za, DIG shows that as "CDS 0 0 0 00" and the
NET_DNS2 software shows it as... "CDS 0 0 0 " (no digest at
all).</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
</body>
</html>