<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I wonder if there is some fundamental confusion regarding the
purpose of CDS/CDNSKEY if it comes across as unintuitive that you
need a fully operational signed zone, including relevant DNSKEY
records.<br>
</p>
<p>There might be room for improvement regarding what happened when
this requirement was not fulfilled (your description does not say
what exactly happened), but it's a scenario where the CDS/CDNSKEY
signalling cannot work:<br>
</p>
<p>CDS/CDNSKEY signals to the registry what the next entry point
DNSKEY (KSK/CSK) will be for an already signed zone.</p>
<p>In order for CDS/CDNSKEY to be trustable and serve any purpose,
the zone must currently be signed and validate properly, including
the signature for that CDS/CDNSKEY record.</p>
<p>"CDS 0 0 0 00" is no exception. The use-case for this "null" CDS
record is: my zone is currently signed and working, but I am for
whatever reason planning to stop signing the zone soon.</p>
<p>If something is broken in terms of signing, CDS is probably not
what you are looking for. (Either recover the breakage on your end
or manage the DS records out of band, like via a registrar control
panel or API.)</p>
<p>If the zone was not signed in the first place, CDS serves no
purpose.</p>
<p><br>
</p>
<p>Best regards,<br>
Håkan Lindqvist<br>
</p>
<div class="moz-cite-prefix">On 10/4/2020 7:19 PM, Mark Elkins
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c489e39e-3b5f-3755-743c-d4accbebdd8d@posix.co.za">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Ugg... typo's</p>
<p>Please read that as....</p>
<p>So the correct format to add a "Please delete all DS records
for my domain" is "CDS 0 0 0 00".</p>
<div class="moz-cite-prefix">On 2020/10/04 19:12, Mark Elkins
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:bc62f53d-e2d5-26fd-2798-5238f1ec7759@posix.co.za">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Did some more Googling....</p>
<p>So the correct format to add a "Please delete all CD records
for my domain" is "CDC 0 0 0 00".</p>
<p>However, in order to get BIND to accept this, you also have
to have a working DNSKEY (KSK) key in the Zone... that's
really intuitive!<br>
To reduce code changes in my system - I also have a ZSK.<br>
Of course there must be no other CDS keys in the zone - in
spite of one normally doing that when one creates a KSK...<br>
</p>
<p>(Thinking about pushing the Start button to stop the machine
- then again, I run Linux)<br>
</p>
<div class="moz-cite-prefix">On 2020/10/04 15:45, Mark Elkins
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:34b657d8-8a72-2901-ddca-68091600df52@posix.co.za">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Thanks for answering on a Sunday,</p>
<p>Umm...</p>
<p><img src="cid:part1.0F4AF069.6C99C2A5@qw.se" alt=""
class="" width="451" height="171"></p>
<p>I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6
doesn't seem to be very old.<br>
</p>
<p>In the update logs, I see....</p>
<h2><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id25"
moz-do-not-send="true">Notes for BIND 9.16.7</a></h2>
<div class="section" id="new-features">
<h3><a class="toc-backref"
href="https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#id26"
moz-do-not-send="true">New Features</a></h3>
<ul class="simple">
<li>
<p>Log when <code class="docutils literal notranslate"><span
class="pre">named</span></code> adds a CDS/CDNSKEY
to the zone. [GL #1748]</p>
</li>
</ul>
</div>
<p>------------------------------------------------------------------------------------------------------------<br>
</p>
<p>I'm running Gentoo - and the newest version of BIND in the
repository is bind-9.16.6-r3<br>
Should I not be running what is one version away from the
Current-Stable version?<br>
</p>
<p>The ONLY DNSSEC type record I have in this zone is the "CDS
0 0 0 0" record.</p>
I totally agree with ...<br>
<p>> There must only be the delete cds/cdnskey records and
not any other cds/cdnskey records.<br>
> Publish and delete instructions at the same time is not
consistent.</p>
<p>I'm also not surprised that NET_DNS2 is wrong. Have emailed
the author.</p>
<p>Still - what does one correctly enter into a text based
zone?</p>
<p>The text zone currently looks like...<br>
</p>
<p>$TTL 3600<br>
@ IN SOA control.vweb.co.za.
dns-admin.posix.co.za. (<br>
2020100404 ; Serial number<br>
3600 ; Refresh, 86400=1 day, 3600=1 hr<br>
1800 ; Retry after 30 mins<br>
604800 ; Expire after 7 days<br>
1800 ) ; Negative TTL, 21600=6 hrs,
1800=30 mins<br>
<br>
@ IN A 192.96.24.5<br>
@ IN AAAA 2001:42a0::5<br>
@ IN NS control.vweb.co.za.<br>
@ IN NS secdns1.posix.co.za.<br>
@ IN CDS 0 0 0 00<br>
<br>
www IN A 192.96.24.5<br>
www IN AAAA 2001:42a0::5<br>
<br>
</p>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2020/10/04 15:02, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EDBDFED8-AA13-4EE1-BB89-BBA42D51F3CD@isc.org">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Use up to date software. <br>
<br>
<div dir="ltr">--
<div>Mark Andrews</div>
</div>
<div dir="ltr"><br>
<blockquote type="cite">On 4 Oct 2020, at 23:48, Mark
Elkins <a class="moz-txt-link-rfc2396E"
href="mailto:mje@posix.co.za" moz-do-not-send="true"><mje@posix.co.za></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
What is the magic incantation to inserting a "CDS 0 0 0
0" record in BIND.<br>
Version - BIND 9.16.6 (Stable Release)<br>
I've read RFC8070 - which says... (<a
class="moz-txt-link-freetext"
href="https://tools.ietf.org/html/rfc8078"
moz-do-not-send="true">https://tools.ietf.org/html/rfc8078</a>)<br>
<pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf" moz-do-not-send="true">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf" moz-do-not-send="true">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...
</pre>
<font size="-2"><span style="left: 142px; top:
613.747px; font-size: 16.6667px; transform:
scaleX(0.996759);">A child zone can also signal to
turn off DNSSEC by removing the DS record set in the
parent zone.</span></font><br>
<font size="-2"><span style="left: 142px; top:
613.747px; font-size: 16.6667px; transform:
scaleX(0.996759);">In </span><span style="left:
142px; top: 635.413px; font-size: 16.6667px;
transform: scaleX(0.998279);">this case, the
operator may publish a special CDS record which must
exactly match:</span></font><br>
<font size="-2"><span style="left: 142px; top:
635.413px; font-size: 16.6667px; transform:
scaleX(0.998279);"></span><span style="left: 142px;
top: 667.08px; font-size: 16.6667px; transform:
scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
<p><br>
</p>
<p>I have a zone called "nodnssec.edu.za".<br>
</p>
<span style="left: 142px; top: 667.08px; font-size:
16.6667px; font-family: sans-serif; transform:
scaleX(0.997668);"></span>
<p>In a text zone - if I add:-</p>
<p>CDS 0 0 0 0</p>
<p>I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)<br>
</p>
<p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol:
bad hex encoding<br>
zone nodnssec.edu.za/IN: loading from master file
db.nodnssec.edu.za failed: bad hex encoding<br>
zone nodnssec.edu.za/IN: not loaded due to errors.<br>
</p>
<p>CDS 0 0 0 00 gives me.... <br>
</p>
<p>_default/nodnssec.edu.za/IN: bad CDS<br>
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency
checks failed<br>
zone nodnssec.edu.za/IN: not loaded due to errors.</p>
<p>I've also tried a null string - CDS 0 0 0 "" -
no joy.<br>
</p>
<p>So what should I add?<br>
</p>
<p>I've seen a record hosted by Cloudflare.... for
revolution.edu.za, DIG shows that as "CDS 0 0 0
00" and the NET_DNS2 software shows it as... "CDS
0 0 0 " (no digest at all).</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South)
Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za"
moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496"
moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za"
moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
<span>_______________________________________________</span><br>
<span>Please visit <a class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list</span><br>
<span></span><br>
<span>ISC funds the development of this software with
paid support subscriptions. Contact us at <a
class="moz-txt-link-freetext"
href="https://www.isc.org/contact/"
moz-do-not-send="true">https://www.isc.org/contact/</a>
for more information.</span><br>
<span></span><br>
<span></span><br>
<span>bind-users mailing list</span><br>
<span><a class="moz-txt-link-abbreviated"
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true">bind-users@lists.isc.org</a></span><br>
<span><a class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users"
moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br>
</div>
</blockquote>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part18.04DFBDEF.5ED3BE1B@qw.se" alt="Posix
Systems" class="" width="250" height="165"><img
moz-do-not-send="false"
src="cid:part19.825BE7C3.FA6200E4@qw.se" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" class=""
width="164" height="164"><br>
</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/" moz-do-not-send="true">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org" moz-do-not-send="true">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part18.04DFBDEF.5ED3BE1B@qw.se" alt="Posix
Systems" class="" width="250" height="165"><img
moz-do-not-send="false"
src="cid:part19.825BE7C3.FA6200E4@qw.se" alt="VCARD for MJ
Elkins" title="VCARD, Scan me please!" class=""
width="164" height="164"><br>
</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/" moz-do-not-send="true">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org" moz-do-not-send="true">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated"
href="mailto:mje@posix.co.za" moz-do-not-send="true">mje@posix.co.za</a>
Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za" moz-do-not-send="true">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part18.04DFBDEF.5ED3BE1B@qw.se" alt="Posix Systems"
class="" width="250" height="165"><img
moz-do-not-send="false"
src="cid:part19.825BE7C3.FA6200E4@qw.se" alt="VCARD for MJ
Elkins" title="VCARD, Scan me please!" class="" width="164"
height="164"><br>
</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
</body>
</html>