Re: Bind 9.9.x inline signing

[Mark Elkins]

Some updates:

Eventually got VirtualBox to behave and now have two virtual instances
of Gentoo/BIND on my box. Now I have a cleaner test environment.

Rebuilt Evans demo and its now working well. Running BIND 9.9.1 and
'haveged' on both machines. I have modified my 'signer' script so if the
zone type is 'Auto', I just manage the Keys and BIND does the rest. The
script also check the SOA of the signed zone and brings the unsigned
zone up to the same Serial Number. Seems to be keeping in Sync now.

Some other 'changes' I've made, I create keys with SHA256 rather than
SHA1, thus my 'dnssec-keygen' invocation looks like:
dnssec-keygen -a RSASHA256 -b 1024
dnssec-keygen -fk -a RSASHA256 -b 2048 

So I have a beautiful NSEC managed zone - on to test with NSEC3!


On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins wrote:
 Eventually got down to some experimenting again.
 These are observations - which may help others.
 
 I followed example 1 of Evan Hunts
 https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
 (I'm using bind 9.9.1)
 
 I did change the name of the zone and didn't bother with
 allow-transfer - using the default behaviour of BIND instead (using
 the NS records in the zone instead)
 
 I first created the zone and got it working as normally between two
 machine (on the same lan - etc). This works fine, add a record to the
 first zone, bump the SOA Serial, rndc reload, and the slave gets the
 update notify.
 
 I then went through the example and added automatic DNSSEC.
 
 The Slave no longer seems to get NOTIFY - I had to stop, remove the
 saved slaves file, and restart the slave to force the transfer.
 
 Initially, making a change to the unsigned zone works.
 (Edit unsigned, add data, bump SOA by one, save, rndc reload)
 Log:  03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
 (signed): serial 2012060307 (unsigned 2012060304)
 
 I didn't like the fact that the unsigned serial (which I manage) was
 lower than that of the signed zone. Making it bigger than the signed
 zones version appears to have gotten the zones back in sync - however
 the slave is still not getting any Notifies (and has not yet caught up).
 I also expect that in the future, any 'magic bind key-signing' may also
 de-sync my unsigned zone's concept of the current SOA Serial as well. 
 
 Its the apparent lack of NOTIFY's thats really bugging me, I did modify
 the secondary zone config in named.conf and added
 masterfile-format text; - which saves the zone in nice, easy to debug,
 ascii. 
 Is the NOTIFY from 'Inline-signing' zones currently broken?
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - (South) Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9.9.x inline signing

[Spain, Dr. Jeffry A.]

 I didn't like the fact that the unsigned serial (which I manage) was lower 
 than that of the signed zone. Making it bigger than the signed zones version 
 appears to have gotten the zones back in sync - however the slave is still 
 not getting any Notifies (and has not yet caught up).

With inline-signing yes; and auto-dnssec maintain; in place, the SOA serial 
number of the signed zone will always be ahead of the unsigned zone. BIND 9 
periodically carries out signing and key maintenance activities, and in the 
process automatically increments the SOA serial number of the signed zone.

When you manually edit the unsigned zone, you can set the SOA serial number to 
any value larger than the previous value, including incrementing by one, and 
everything should work. BIND 9 tracks the SOA serial numbers of the unsigned 
and signed versions of the zone separately.

Note that you can also use nsupdate to edit the unsigned zone, and nsupdate 
will automatically increment the unsigned zone's SOA serial number for you.

 I also expect that in the future, any 'magic bind key-signing' may also 
 de-sync my unsigned zone's concept of the current SOA Serial as well. 

 Its the apparent lack of NOTIFY's thats really bugging me, I did modify the 
 secondary zone config in named.conf and added masterfile-format text; - 
 which saves the zone in nice, easy to debug, ascii. 
 Is the NOTIFY from 'Inline-signing' zones currently broken?

This has been working for me, but with some different configuration settings. 
Because my DNS servers are behind an IPv4 NAT firewall, I have not been relying 
on BIND 9's default notification scheme. The name server addresses in the zone 
files are external IPv4 addresses not reachable from inside the firewall. 
Instead I have configured notify explicit; and also-notify { ... }; to 
control the notification process. This issue also affects the addresses in 
allow-transfer { ... }; and masters { ... }; statements.

Did you happen to look at your syslog (cat /var/log/syslog | grep named)? It is 
possible that your slaves are not receiving notifies, or are not able to do 
zone transfers, or both.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users