[dns-operations] non signing Bind & DNSSEC: a note of caution
Michael Graff
mgraff at isc.org
Mon Feb 7 11:22:42 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have a fix for this. It will make it into the release of 9.7.3, and
9.8.0 will also have the fix.
I'll see about getting it posted somewhere for the currently released
versions.
As a work-around, remove the allow-update { none; }; and let the normal
default deny mechanism take place. This is of course, not a solution.
I also feel a global "don't be smart about anything I give you" switch
needs to go in, where named will serve whatever it is told, no matter
how insane it may be with respect to DNSSEC data.
- --Michael
On 2011-02-07 2:39 AM, Gilles Massen wrote:
> Hello,
>
> A small word of caution to those of you that sign zones (e.g. with
> OpenDNSSEC) and push the signed zones to Bind for distribution:
>
> If you have configured "allow-update {none;};" and are approaching the
> the end of signature lifetime (by a few days(!)), Bind tries to take
> over signing. Obviously it doesn't have access to the keys, but that
> does not stop it from stripping a couple of RRSIGs and serving the
> remaining zone. Removing the 'allow-update' statement fixes the issue.
>
> I have verified the behavior for the latest 9.7.2, 9.7.3rc1, 9.6.3.
>
> See also:
>
> https://lists.isc.org/pipermail/bind-users/2011-February/082668.html
>
> Best,
> Gilles
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1P1gIACgkQLdqv0r6eD6awwwCeI8EmJ+/xXd4q0R0O1H9w/b+6
HpkAnjvS+1EgOoSmDfZI9RIcIKr9ghlb
=og4l
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list