Re: bind makes RRSIG disappear?
> >BIND will try to maintain the signatures in a zone if the zone is > >configured to be dynamic--i.e, if it has an update-policy or allow-update > >option. It won't create signatures where there were none, but it will try > >to keep existing RRSIGs up to date for you. > > Not that I would need it, but doesn't this prevent someone from > dynamically updating (including signatures) a signed zone? The reasoning is that if the zone is dynamic and named can see your private key, then that's a hint that you would like named to keep your signatures from expiring. (Because after all, why wouldn't you?) But, even if the zone is dynamic, if named can't see the private key, then it should leave your RRSIGs alone. If that's not how it's behaving, that's a bug, and we'll address it very soon. > I'd see this as a symptom: I would really prefer if this kind of magic > only kicked in if explicitly enabled. Or, if that's not possibly for > usability reason, have a config switch like "don't touch my data - ever". I agree that option would be a good thing to have. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
Evan, Thanks for outlining this - it's much clearer now. BIND will try to maintain the signatures in a zone if the zone is configured to be dynamic--i.e, if it has an update-policy or allow-update option. It won't create signatures where there were none, but it will try to keep existing RRSIGs up to date for you. Not that I would need it, but doesn't this prevent someone from dynamically updating (including signatures) a signed zone? The "auto-dnssec" option relates to automated changes based on timing metadata stored with the key. For example, you can schedule a key to be published on a certain date, and named will insert the DNSKEY record into the zone at the right time; or, you can schedule a key to become active, and named will start signing with it. But routine RRSIG maintenance happens in *any* dynamic zone, with or without "auto-dnssec". Having RRSIGs disappear from a zone when there's no private key available for re-signing is probably a problem (at least, it would seem to violate the principle of least astonishment). I'll look into that. I'd see this as a symptom: I would really prefer if this kind of magic only kicked in if explicitly enabled. Or, if that's not possibly for usability reason, have a config switch like "don't touch my data - ever". Best, Gilles -- Fondation RESTENA ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
> Thanks, this works indeed.
>
> This raises a few questions, as I'd really like to understand bind's
> behavior:
>
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
>
> - is it possible to disable this kind of intelligence (possibly at
> compile time)?
>
> - if not: a config switch (or compile-time option) would really be
> appreciated. The zone option "auto-dnssec off;" did not prevent bind
> from trying to sign the zone.
BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option. It won't create signatures where there were none, but it will try
to keep existing RRSIGs up to date for you.
In this case, there's a bug where it thinks "update-policy { none; };"
counts as an update-policy statement. So, the zone isn't dynamic and
shouldn't be re-signed, but named was confused and thought it was and
should. This will be fixed in future releases.
The "auto-dnssec" option relates to automated changes based on timing
metadata stored with the key. For example, you can schedule a key to be
published on a certain date, and named will insert the DNSKEY record into
the zone at the right time; or, you can schedule a key to become active,
and named will start signing with it. But routine RRSIG maintenance
happens in *any* dynamic zone, with or without "auto-dnssec".
Having RRSIGs disappear from a zone when there's no private key available
for re-signing is probably a problem (at least, it would seem to violate
the principle of least astonishment). I'll look into that.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
Hi Gilles, You've identified a corner-case bug - the logic is incorrect in the case where the ACL holds "none" instead of being empty. There's no compile-time option - but we are treating what you've reported to us as a bug (RT #23120). It is currently under investigation/discussion. Many thanks for bringing this to our attention. Cathy On 07/02/11 07:29, Gilles Massen wrote: > Mark, > > On 02/06/2011 10:41 PM, Mark Andrews wrote: >> Mark Andrews writes: >>> > Does your configuration also have an "allow-update" setting > (other than "none") for it, maybe only for the instance that > is giving you trouble? In that case BIND will take it that you > want it to do resigning as the RRSIGs approach expiry. The only allow-update is in the options section, and none. >>> >>> Get rid of the allow-update and allow the default of no acl to work. >> >> The test that decides that the zone may need to be re-signed doesn't >> take the "none;" acl into account. Currently it is >> "if (acl != NULL || ssu != NULL)" and should become >> "if ((acl != NULL && !isnone(acl)) || ssu != NULL)". > > Thanks, this works indeed. > > This raises a few questions, as I'd really like to understand bind's > behavior: > > - is there any description of exactly how/when Bind assumes signing > authority over a zone? Or simply where some kind of zone-manipulating > intelligence kicks in? > > - is it possible to disable this kind of intelligence (possibly at > compile time)? > > - if not: a config switch (or compile-time option) would really be > appreciated. The zone option "auto-dnssec off;" did not prevent bind > from trying to sign the zone. > > Best, > Gilles > > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
Mark, On 02/06/2011 10:41 PM, Mark Andrews wrote: > Mark Andrews writes: >> >>> Does your configuration also have an "allow-update" setting (other than "none") for it, maybe only for the instance that is giving you trouble? In that case BIND will take it that you want it to do resigning as the RRSIGs approach expiry. >>> >>> The only allow-update is in the options section, and none. >> >> Get rid of the allow-update and allow the default of no acl to work. > > The test that decides that the zone may need to be re-signed doesn't > take the "none;" acl into account. Currently it is > "if (acl != NULL || ssu != NULL)" and should become > "if ((acl != NULL && !isnone(acl)) || ssu != NULL)". Thanks, this works indeed. This raises a few questions, as I'd really like to understand bind's behavior: - is there any description of exactly how/when Bind assumes signing authority over a zone? Or simply where some kind of zone-manipulating intelligence kicks in? - is it possible to disable this kind of intelligence (possibly at compile time)? - if not: a config switch (or compile-time option) would really be appreciated. The zone option "auto-dnssec off;" did not prevent bind from trying to sign the zone. Best, Gilles -- Fondation RESTENA - DNS-LU ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
In message <4d4ef872.6070...@restena.lu>, Gilles Massen writes: > Chris, > > thanks for the hint, but: > > > On 6/2/11 19:20 , Chris Thompson wrote: > > On Feb 6 2011, Gilles Massen wrote: > > > >> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and > >> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely > >> out of the blue, Bind decides to claim some authority over the zone: > >> the SOA RRSIG (only that one) is scrapped, and this is logged: > > [...] > > > Presumably you are defining the zone to BIND as "type master". > > Yes. > > > Does your configuration also have an "allow-update" setting > > (other than "none") for it, maybe only for the instance that > > is giving you trouble? In that case BIND will take it that you > > want it to do resigning as the RRSIGs approach expiry. > > The only allow-update is in the options section, and none. Get rid of the allow-update and allow the default of no acl to work. > BTW, the config has not changed in months, only the zone got only > signed. Besides, at least the SOA RRSIG is pretty recent. Other > signatures that disappear are still 7 days from expiry. > > Best, > Gilles > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
Mark Andrews writes: > > In message <4d4ef872.6070...@restena.lu>, Gilles Massen writes: > > Chris, > > > > thanks for the hint, but: > > > > > > On 6/2/11 19:20 , Chris Thompson wrote: > > > On Feb 6 2011, Gilles Massen wrote: > > > > > >> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and > > >> pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely > > >> out of the blue, Bind decides to claim some authority over the zone: > > >> the SOA RRSIG (only that one) is scrapped, and this is logged: > > > > [...] > > > > > Presumably you are defining the zone to BIND as "type master". > > > > Yes. > > > > > Does your configuration also have an "allow-update" setting > > > (other than "none") for it, maybe only for the instance that > > > is giving you trouble? In that case BIND will take it that you > > > want it to do resigning as the RRSIGs approach expiry. > > > > The only allow-update is in the options section, and none. > > Get rid of the allow-update and allow the default of no acl to work. The test that decides that the zone may need to be re-signed doesn't take the "none;" acl into account. Currently it is "if (acl != NULL || ssu != NULL)" and should become "if ((acl != NULL && !isnone(acl)) || ssu != NULL)". Mark > > BTW, the config has not changed in months, only the zone got only > > signed. Besides, at least the SOA RRSIG is pretty recent. Other > > signatures that disappear are still 7 days from expiry. > > > > Best, > > Gilles > > > > > > ___ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
Chris, thanks for the hint, but: On 6/2/11 19:20 , Chris Thompson wrote: On Feb 6 2011, Gilles Massen wrote: I have a very peculiar behavior: a zone, signed by OpenDNSSEC and pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely out of the blue, Bind decides to claim some authority over the zone: the SOA RRSIG (only that one) is scrapped, and this is logged: [...] Presumably you are defining the zone to BIND as "type master". Yes. Does your configuration also have an "allow-update" setting (other than "none") for it, maybe only for the instance that is giving you trouble? In that case BIND will take it that you want it to do resigning as the RRSIGs approach expiry. The only allow-update is in the options section, and none. BTW, the config has not changed in months, only the zone got only signed. Besides, at least the SOA RRSIG is pretty recent. Other signatures that disappear are still 7 days from expiry. Best, Gilles ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind makes RRSIG disappear?
On Feb 6 2011, Gilles Massen wrote: I have a very peculiar behavior: a zone, signed by OpenDNSSEC and pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely out of the blue, Bind decides to claim some authority over the zone: the SOA RRSIG (only that one) is scrapped, and this is logged: 06-Feb-2011 15:10:59.373 general: warning: dns_dnssec_findzonekeys2: error reading private key file dns.lu/RSASHA256/16129: file not found 06-Feb-2011 15:10:59.373 general: warning: dns_dnssec_findzonekeys2: error reading private key file dns.lu/RSASHA256/13736: file not found Additionally a journal file is build alongside the original zone file. Why is this happening, and more importantly, how can I make it stop? Restarting bind/removing the journal had no effect whatsoever! BTW, another instance of 9.7.2-P3 gets the same zone, the same way, and is still serving it normally. Any help would be appreciated... Presumably you are defining the zone to BIND as "type master". Does your configuration also have an "allow-update" setting (other than "none") for it, maybe only for the instance that is giving you trouble? In that case BIND will take it that you want it to do resigning as the RRSIGs approach expiry. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
