<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Did some more Googling....</p>
<p>So the correct format to add a "Please delete all CD records for
my domain" is "CDC 0 0 0 00".</p>
<p>However, in order to get BIND to accept this, you also have to
have a working DNSKEY (KSK) key in the Zone... that's really
intuitive!<br>
To reduce code changes in my system - I also have a ZSK.<br>
Of course there must be no other CDS keys in the zone - in spite
of one normally doing that when one creates a KSK...<br>
</p>
<p>(Thinking about pushing the Start button to stop the machine -
then again, I run Linux)<br>
</p>
<div class="moz-cite-prefix">On 2020/10/04 15:45, Mark Elkins wrote:<br>
</div>
<blockquote type="cite"
cite="mid:34b657d8-8a72-2901-ddca-68091600df52@posix.co.za">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Thanks for answering on a Sunday,</p>
<p>Umm...</p>
<p><img src="cid:part1.B8B8937A.8ADAAC6A@posix.co.za" alt=""
class="" width="451" height="171"></p>
<p>I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6
doesn't seem to be very old.<br>
</p>
<p>In the update logs, I see....</p>
<h2><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25"
moz-do-not-send="true">Notes for BIND 9.16.7</a></h2>
<div class="section" id="new-features">
<h3><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26"
moz-do-not-send="true">New Features</a></h3>
<ul class="simple">
<li>
<p>Log when <code class="docutils literal notranslate"><span
class="pre">named</span></code> adds a CDS/CDNSKEY to
the zone. [GL #1748]</p>
</li>
</ul>
</div>
<p>------------------------------------------------------------------------------------------------------------<br>
</p>
<p>I'm running Gentoo - and the newest version of BIND in the
repository is bind-9.16.6-r3<br>
Should I not be running what is one version away from the
Current-Stable version?<br>
</p>
<p>The ONLY DNSSEC type record I have in this zone is the "CDS 0 0
0 0" record.</p>
I totally agree with ...<br>
<p>> There must only be the delete cds/cdnskey records and not
any other cds/cdnskey records.<br>
> Publish and delete instructions at the same time is not
consistent.</p>
<p>I'm also not surprised that NET_DNS2 is wrong. Have emailed the
author.</p>
<p>Still - what does one correctly enter into a text based zone?</p>
<p>The text zone currently looks like...<br>
</p>
<p>$TTL 3600<br>
@ IN SOA control.vweb.co.za. dns-admin.posix.co.za.
(<br>
2020100404 ; Serial number<br>
3600 ; Refresh, 86400=1 day, 3600=1 hr<br>
1800 ; Retry after 30 mins<br>
604800 ; Expire after 7 days<br>
1800 ) ; Negative TTL, 21600=6 hrs, 1800=30
mins<br>
<br>
@ IN A 192.96.24.5<br>
@ IN AAAA 2001:42a0::5<br>
@ IN NS control.vweb.co.za.<br>
@ IN NS secdns1.posix.co.za.<br>
@ IN CDS 0 0 0 00<br>
<br>
www IN A 192.96.24.5<br>
www IN AAAA 2001:42a0::5<br>
<br>
</p>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2020/10/04 15:02, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EDBDFED8-AA13-4EE1-BB89-BBA42D51F3CD@isc.org">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Use up to date software. <br>
<br>
<div dir="ltr">--
<div>Mark Andrews</div>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On 4 Oct 2020, at 23:48, Mark Elkins <a
class="moz-txt-link-rfc2396E"
href="mailto:mje@posix.co.za" moz-do-not-send="true"><mje@posix.co.za></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
What is the magic incantation to inserting a "CDS 0 0 0 0"
record in BIND.<br>
Version - BIND 9.16.6 (Stable Release)<br>
I've read RFC8070 - which says... (<a
class="moz-txt-link-freetext"
href="https://tools.ietf.org/html/rfc8078"
moz-do-not-send="true">https://tools.ietf.org/html/rfc8078</a>)<br>
<pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf" moz-do-not-send="true">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf" moz-do-not-send="true">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...
</pre>
<font size="-2"><span style="left: 142px; top: 613.747px;
font-size: 16.6667px; transform: scaleX(0.996759);">A
child zone can also signal to turn off DNSSEC by
removing the DS record set in the parent zone.</span></font><br>
<font size="-2"><span style="left: 142px; top: 613.747px;
font-size: 16.6667px; transform: scaleX(0.996759);">In </span><span
style="left: 142px; top: 635.413px; font-size:
16.6667px; transform: scaleX(0.998279);">this case, the
operator may publish a special CDS record which must
exactly match:</span></font><br>
<font size="-2"><span style="left: 142px; top: 635.413px;
font-size: 16.6667px; transform: scaleX(0.998279);"></span><span
style="left: 142px; top: 667.08px; font-size: 16.6667px;
transform: scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
<p><br>
</p>
<p>I have a zone called "nodnssec.edu.za".<br>
</p>
<span style="left: 142px; top: 667.08px; font-size:
16.6667px; font-family: sans-serif; transform:
scaleX(0.997668);"></span>
<p>In a text zone - if I add:-</p>
<p>CDS 0 0 0 0</p>
<p>I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)<br>
</p>
<p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad
hex encoding<br>
zone nodnssec.edu.za/IN: loading from master file
db.nodnssec.edu.za failed: bad hex encoding<br>
zone nodnssec.edu.za/IN: not loaded due to errors.<br>
</p>
<p>CDS 0 0 0 00 gives me.... <br>
</p>
<p>_default/nodnssec.edu.za/IN: bad CDS<br>
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks
failed<br>
zone nodnssec.edu.za/IN: not loaded due to errors.</p>
<p>I've also tried a null string - CDS 0 0 0 "" - no
joy.<br>
</p>
<p>So what should I add?<br>
</p>
<p>I've seen a record hosted by Cloudflare.... for
revolution.edu.za, DIG shows that as "CDS 0 0 0 00"
and the NET_DNS2 software shows it as... "CDS 0 0 0 "
(no digest at all).</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
<span>_______________________________________________</span><br>
<span>Please visit <a class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list</span><br>
<span></span><br>
<span>ISC funds the development of this software with paid
support subscriptions. Contact us at <a
class="moz-txt-link-freetext"
href="https://www.isc.org/contact/"
moz-do-not-send="true">https://www.isc.org/contact/</a>
for more information.</span><br>
<span></span><br>
<span></span><br>
<span>bind-users mailing list</span><br>
<span><a class="moz-txt-link-abbreviated"
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true">bind-users@lists.isc.org</a></span><br>
<span><a class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
</div>
</blockquote>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part18.0D24B53A.E4B464B5@posix.co.za" alt="Posix
Systems" class="" width="250" height="165"><img
moz-do-not-send="false"
src="cid:part19.1DDD4A98.75034BA8@posix.co.za" alt="VCARD
for MJ Elkins" title="VCARD, Scan me please!" class=""
width="164" height="164"><br>
</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part18.0D24B53A.E4B464B5@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part19.1DDD4A98.75034BA8@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>