<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Use up to date software. <br><br><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 4 Oct 2020, at 23:48, Mark Elkins <mje@posix.co.za> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
What is the magic incantation to inserting a "CDS 0 0 0 0" record in
BIND.<br>
Version - BIND 9.16.6 (Stable Release)<br>
I've read RFC8070 - which says...
(<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc8078">https://tools.ietf.org/html/rfc8078</a>)<br>
<pre class="newpage">The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exact fields as shown below.
CDS 0 0 0 0
CDNSKEY 0 3 0 0
In Knot docs... <a class="moz-txt-link-freetext" href="https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf">https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf</a>
it says...
DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually
In <a class="moz-txt-link-freetext" href="https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf">https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf</a> it says...
</pre>
<font size="-2"><span style="left: 142px; top: 613.747px; font-size:
16.6667px; transform: scaleX(0.996759);">A child zone can also
signal to turn off DNSSEC by removing the DS record set in the
parent zone.</span></font><br>
<font size="-2"><span style="left: 142px; top: 613.747px; font-size:
16.6667px; transform: scaleX(0.996759);">In </span><span style="left: 142px; top: 635.413px; font-size: 16.6667px;
transform: scaleX(0.998279);">this case, the operator may
publish a special CDS record which must exactly match:</span></font><br>
<font size="-2"><span style="left: 142px; top: 635.413px; font-size:
16.6667px; transform: scaleX(0.998279);"></span><span style="left: 142px; top: 667.08px; font-size: 16.6667px;
transform: scaleX(0.997668);">CDS 0 0 0 00</span></font><br>
<p><br>
</p>
<p>I have a zone called "nodnssec.edu.za".<br>
</p>
<span style="left: 142px; top: 667.08px; font-size: 16.6667px;
font-family: sans-serif; transform: scaleX(0.997668);"></span>
<p>In a text zone - if I add:-</p>
<p>CDS 0 0 0 0</p>
<p>I get:- (from running: /usr/sbin/named-checkconf -z
/etc/bind/named.conf | grep nodnssec)<br>
</p>
<p>_default/nodnssec.edu.za/IN: bad hex encoding<br>
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex
encoding<br>
zone nodnssec.edu.za/IN: loading from master file
db.nodnssec.edu.za failed: bad hex encoding<br>
zone nodnssec.edu.za/IN: not loaded due to errors.<br>
</p>
<p>CDS 0 0 0 00 gives me.... <br>
</p>
<p>_default/nodnssec.edu.za/IN: bad CDS<br>
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed<br>
zone nodnssec.edu.za/IN: not loaded due to errors.</p>
<p>I've also tried a null string - CDS 0 0 0 "" - no joy.<br>
</p>
<p>So what should I add?<br>
</p>
<p>I've seen a record hosted by Cloudflare.... for
revolution.edu.za, DIG shows that as "CDS 0 0 0 00" and the
NET_DNS2 software shows it as... "CDS 0 0 0 " (no digest at
all).</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
<span>_______________________________________________</span><br><span>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></body></html>