Hi,
you did not mention what version of BIND is in use or any log messages
the server produced so we cannot be sure... but
I suspect it has to do with this release note:
https://bind9.readthedocs.io/en/v9.18.28/notes.html#security-fixes
Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause
excessive CPU load, leading to a denial-of-service condition. Support for
SIG(0) message validation was removed from this version of named.
(CVE-2024-1975) [GL #4480]
This is accompanied with a well hidden debug message (level 3):
> request has a SIG(0) signature but its support was removed
(CVE-2024-1975)
For SIG(0) support you need to upgrade to BIND 9.20.
Mitigating SIG(0) DoS potential required surgery to very sensitive parts
of the code so we decided to remove support from 9.18 branch (and older)
to minimize risk for the whole user base and keep it only in 9.20 so
more advanced users can upgrade and still have it.
Honestly we thought that nobody is using it! What is your use-case?
Petr Špaček
Internet Systems Consortium
On 03. 08. 24 8:18, Sebastian Unger wrote:
Hi,
I have had a DNS server with a dynamic zone that allows updates running
for a fair number of years. However, I discovered yesterday that this
setup no longer works and I cannot see anything in the documentation
that indicates why. Unfortunately, I did not notice when this broke, so
it may have been a while ago. Here's my setup:
Starting with a plain Ubuntu 24.04 server (also tried with 22.04 as well
as 24.04 + the ISC PPA) that has static network configuration and
systemd-resolved disabled plus bind9 package installed.
Config:
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
dnssec-validation no;
listen-on { any; };
listen-on-v6 { none; };
};
/etc/bind/named.conf.local:
zone "dyn.example.com <http://dyn.example.com/>" {
type primary;
masterfile-format text;
check-names ignore;
file "/var/lib/bind/db.dyn.example.com
<http://db.dyn.example.com/>";
update-policy {
grant local-ddns zonesub any;
grant * self . any;
};
};
/var/lib/bind/db.dyn.example.com <http://db.dyn.example.com/>:
$ORIGIN .
$TTL 60
dyn.example.com <http://dyn.example.com/> IN SOA 127.0.0.1.
admins.example.com <http://admins.example.com/>. (2024080306 300 300
604800 60)
NS 127.0.0.1.
Then I run from the command-line (better run this from an empty
directory or else the wild-cards may pick up the wrong files):
dnssec-keygen -a ECDSAP384SHA384 -n host -K . -T KEY
test.dyn.example.com <http://test.dyn.example.com/>
nsupdate -4l <<<$'update add '"$(sed -e 's/ IN / 60 /'
./*.key)"$'\nsend\n'
nsupdate -k *.private <<<$'server 127.0.0.1\nupdate add
test.dyn.example.com <http://test.dyn.example.com/>. 60 IN A
10.200.20.28\nsend\n'
The first command generates a key-pair, the second uses the local
session key to add the public key into the zone and the last one is
supposed to use the newly added key to add an address.
It is the last command that fails with "REFUSED" and I cannot figure out
what's wrong. I'm fairly sure nothing has changed on my end and that
this simplified example is a fair representation of what used to work.
In any case, I believe this example /should/ work according to the docs.
Any ideas?
Cheers,
Seb
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users