Re: BIND9.18.33 after upgrade to this version, same BIND configuration no longer accepts dynamic DNS updates with SIG0 keypairs

Mark Andrews Mon, 01 Sep 2025 19:16:45 -0700

Upgrade to 9.20.  Some computational denial of service fixes involving SIG(0) 
where not
back ported to 9.18 but rather the path was just disabled.


> On 2 Sep 2025, at 05:37, Adam Burns <ad...@networkcommons.org> wrote:
> 
> Hi all,
> 
> I'm trying to debug some dynamic update zones (using SIG0 keys) after a BIND 
> version upgrade, and I'm hoing someone on this list can give advice on 
> potential root cause or at least suggestions on how to debug ...
> 
> The instance has been working perfectly through upgrades until at least 
> BIND9.18.26, however after upgrading to BIND9.18.33, dynamic updates from 
> clients using SIG0 KEYS now seem to consistently fail.
> 
> The update-policy definition that has reliably worked for many previous 
> versions and updates until now.
> 
> 
> Example zone definition from named.conf:
> 
> zone "zenr.io" IN {
>         type master;
>         file "dynamic/zenr.io/named.zenr.io";
>         key-directory "dynamic/zenr.io";
>         // auto-dnssec maintain;
>         dnssec-policy "default";
>         allow-transfer { 138.201.89.108; 2a01:4f8:c17:3dd5::1; };
>         update-policy {
>                 grant "zenr.io" name zenr.io. ANY;
>                 grant "zenr.io" subdomain zenr.io. ANY;
>                 grant * selfsub . ANY;
>         };
> };
> 
> All updates attempted from invoking a previously functional keypair seem to 
> now
> 
> $ dig vortex.zenr.io +short KEY
> 512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=
> 
> $ cat Kvortex.zenr.io.+015+56161.key
> vortex.zenr.io. IN KEY 512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=
> 
> $ nsupdate -k Kvortex.zenr.io.+015+56161 -L 10
> 01-Sep-2025 07:20:59.381 dns_requestmgr_create
> 01-Sep-2025 07:20:59.381 dns_requestmgr_create: 0x7fdf4a4acc40
> > server ns1.free2air.org
> > zone zenr.io
> > update add zenr.io 600 TXT "testing dynamic updates"
> > send
> update failed: REFUSED
> 
> 
> Any information on configuration changes that may be required to restore 
> functionality or info on potential roots causes or further diagnostic hints 
> would be greatly appreciated.
> 
> Thanks & Regards,
> 
> Adam.
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND9.18.33 after upgrade to this version, same BIND configuration no longer accepts dynamic DNS updates with SIG0 keypairs

Reply via email to