[dns-operations] non signing Bind & DNSSEC: a note of caution

Michael Graff mgraff at isc.org
Mon Feb 7 11:22:42 UTC 2011

Hash: SHA1

We have a fix for this.  It will make it into the release of 9.7.3, and
9.8.0 will also have the fix.

I'll see about getting it posted somewhere for the currently released

As a work-around, remove the allow-update { none; }; and let the normal
default deny mechanism take place.  This is of course, not a solution.

I also feel a global "don't be smart about anything I give you" switch
needs to go in, where named will serve whatever it is told, no matter
how insane it may be with respect to DNSSEC data.

- --Michael

On 2011-02-07 2:39 AM, Gilles Massen wrote:
> Hello,
> A small word of caution to those of you that sign zones (e.g. with
> OpenDNSSEC) and push the signed zones to Bind for distribution:
> If you have configured "allow-update {none;};" and are approaching the
> the end of signature lifetime (by a few days(!)), Bind tries to take
> over signing. Obviously it doesn't have access to the keys, but that
> does not stop it from stripping a couple of RRSIGs and serving the
> remaining zone. Removing the 'allow-update' statement fixes the issue.
> I have verified the behavior for the latest 9.7.2, 9.7.3rc1, 9.6.3.
> See also:
> https://lists.isc.org/pipermail/bind-users/2011-February/082668.html
> Best,
> Gilles

Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the dns-operations mailing list