Hi Mark
Thank you for your answer. BIND is definitely running the current version:
$ rndc status
version: BIND 9.16.0 (Stable Release) <id:6270e60> ()
running on server: Linux x86_64 3.10.0-1062.4.3.el7.x86_64 #1 SMP Wed
Nov 13 23:58:53 UTC 2019
boot time: Thu, 20 Feb 2020 16:30:15 GMT
last configured: Thu, 20 Feb 2020 16:31:25 GMT
configuration file: /etc/named/named.conf
(/opt/chroot/bind/etc/named/named.conf)
CPUs found: 4
worker threads: 4
UDP listeners per interface: 4
number of zones: 110 (98 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 2/150
TCP high-water: 103
server is up and running
I've removed the CDS/CDNSKEY records from the zone with dnssec-settime
-K [key-directory] -D sync now Kexample.com...
So the CDS/CDNSKEY are no more longer existing in the zone and are no
longer queryable with dig -> as expected:
$ dig @127.0.0.1 +noall +answer cds example.com -> No output
$ dig @127.0.0.1 +noall +answer cdnskey example.com -> No output
So from my point of view, I have now a clear starting point where no
longer CDS/CDNSKEY records are published.
When I now configure the explicit deletion record(s) within the zone for
"CDS" and/or "CDS/CDNSKEY", then BIND is still failing with the
mentioned error.
The zonefile looks like this:
-------- SCHNIPP --------
$TTL 3600
example.com. IN SOA ns1.example.com. dnsadmin.example.com. (
2020022104
10800
3600
1209600
3600 )
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
@ IN CDS 0 0 0 00
@ IN CDNSKEY 0 3 0 AA==
-------- SCHNAPP --------
21-Feb-2020 08:13:40.939 general: error: zone example.com/IN (unsigned):
CDS/CDNSKEY consistency checks failed
21-Feb-2020 08:13:40.939 zoneload: error: zone example.com/IN
(unsigned): not loaded due to errors.
Thank you.
Kind regards,
Tom
On 20.02.20 19:41, Mark Andrews wrote:
Tom,
I would run ‘rndc status’ or ‘dig ch txt version.bind @server’ and confirm
that you have restarted named with the new code. I’ve had hundreds of 'bug
reports’ about non fixed bugs that where operators failing to restart named
after
installing the new version. The new code is in 9.16.0, 9.14.11, and 9.11.16.
I would check that the *only* CDS record is a deletion record is present.
A CDS deletion record and a non CDS deletion record is a error. Similarly
for CDNSKEY. A CDS/CDNSKEY deletion record and other CDS/CDNSKEY records
in a RRset make no sense. You are either deleting all DS records or replacing
all the DS records with the CDS records, or generating a new set of DS records
from the CDNSKEY records. You can't do both at once.
Mark
On 21 Feb 2020, at 03:54, Ondřej Surý <ond...@isc.org> wrote:
Hi Tom,
On 20 Feb 2020, at 17:42, Tom <li...@verreckte-cheib.ch> wrote:
Hi
With 9.16.0, the CDS deletion
(https://gitlab.isc.org/isc-projects/bind9/issues/1554) is still not working
and is ending with the same error as bind-versions before:
20-Feb-2020 17:31:25.381 general: error: zone example.com/IN (unsigned):
CDS/CDNSKEY consistency checks failed
20-Feb-2020 17:31:25.381 zoneload: error: zone example.com/IN (unsigned): not
loaded due to errors.
In which version will this issue be fixed?
it will be included in the next version when the issue in question gets picked
up by a developer,
be triaged, test written and code fixed. I can’t really say when this will
happen, our developer
resources are thin and there are more issues that require our attention. That
said - this is open
source and we happily accept external contributions in a form of merge request
in our gitlab instance
(you need to ask for a permission to fork the project) or as a patch. This
seems to be fairly trivial
bug that might be a good start if anybody wants to help fix bugs in BIND 9.
Cheers,
Ondrej
--
Ondřej Surý
ond...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
