Re: Primary zone not fully maintained by BIND

Tue, 24 May 2022 15:21:03 -0700 

On 24-05-2022 20:57, Jan-Piet Mens via bind-users wrote:


Slightly off-topic, but I believe ISC reccomend using a custom policy
instead of `default' in case the default changes in future.
Yes, sort of. The documentation hints at the fact that the default policy is subject to change. I meanwhile grabbed the dnssec-policy.default file from GitLab and using that as a locally defined policy. 



That surprises me a bit; I've always maintained BIND will not
validate a DNSSEC-signed zone it is authoritative for. Unless you
mean RRSIGs were still valid.
My terminology might not have been accurate. It is/were the RRSIGS that were outdated for all but the SOA record. I used the command provided in the documentation: 

delv @10.0.0.242 -a Kpenguinpee.nl.+013+56132.key \
+root=penguinpee.nl penguinpee.nl. SOA +multiline
The key file here is the DNSKEY converted into a trust-anchor as per BIND ARM [1]. Checking any other record with delv returned 'RRSIG has expired'.
BIND should be signing the zone(s) with dnssec-policy, yes, and the dynamically-updateable zone will be signed on update and SOA serial increased automatically. 

I wonder whether it's getting confused (can software get confused? I
suppose so) with the two identically-named zones. If this were my
installation and I had to use views, I'd try specifying distinct
policies for the zones to see if that makes a difference.
That thought, regarding the same zone in different views, had occurred to me. However, having to specify different policies for different views would be at best a workaround. I'd rather find out what it is that confuses BIND and file a bug for it.
Looking at it from a users perspective, on a large setup with multiple zones/views (not mine) one would hardly want to setup a separate policy for every zone/view.
For now, everything is looking fine again. But if it fails again, I will take another close look and hopefully something will turn up, that points me in the right direction.
Should it be the views, is there a specific logging category I should increase verbosity on?
[1] https://bind9.readthedocs.io/en/latest/dnssec-guide.html?highlight=delv#verification 

-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to