How do I insert "CDS 0 0 0 0"?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How do I insert "CDS 0 0 0 0"?

Mark Elkins
What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"?

Mark Andrews
Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins <[hidden email]> wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"?

Mark Andrews
All the fields must exist.  NET_DNS2 is wrong.

There must only be the delete cds/cdnskey records and not any other cds/cdnskey records. Publish and delete instructions at the same time is not consistent.

-- 
Mark Andrews

On 5 Oct 2020, at 00:02, Mark Andrews <[hidden email]> wrote:

Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins <[hidden email]> wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"?

Mark Elkins
In reply to this post by Mark Andrews

Thanks for answering on a Sunday,

Umm...

I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem to be very old.

In the update logs, I see....

Notes for BIND 9.16.7

New Features

  • Log when named adds a CDS/CDNSKEY to the zone. [GL #1748]

------------------------------------------------------------------------------------------------------------

I'm running Gentoo - and the newest version of BIND in the repository is bind-9.16.6-r3
Should I not be running what is one version away from the Current-Stable version?

The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" record.

I totally agree with ...

> There must only be the delete cds/cdnskey records and not any other cds/cdnskey records.
> Publish and delete instructions at the same time is not consistent.

I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.

Still - what does one correctly enter into a text based zone?

The text zone currently looks like...

$TTL 3600
@        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
            2020100404    ; Serial number
            3600        ; Refresh, 86400=1 day, 3600=1 hr
            1800        ; Retry after 30 mins
            604800        ; Expire after 7 days
            1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins

@        IN    A    192.96.24.5
@        IN    AAAA    2001:42a0::5
@        IN    NS    control.vweb.co.za.
@        IN    NS    secdns1.posix.co.za.
@        IN    CDS    0 0 0 00

www        IN    A    192.96.24.5
www        IN    AAAA    2001:42a0::5


On 2020/10/04 15:02, Mark Andrews wrote:
Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins [hidden email] wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
          SystemsVCARD for
          MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"? *** SOLVED ***

Mark Elkins

Did some more Googling....

So the correct format to add a "Please delete all CD records for my domain" is "CDC 0 0 0 00".

However, in order to get BIND to accept this, you also have to have a working DNSKEY (KSK) key in the Zone... that's really intuitive!
To reduce code changes in my system - I also have a ZSK.
Of course there must be no other CDS keys in the zone - in spite of one normally doing that when one creates a KSK...

(Thinking about pushing the Start button to stop the machine - then again, I run Linux)

On 2020/10/04 15:45, Mark Elkins wrote:

Thanks for answering on a Sunday,

Umm...

I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem to be very old.

In the update logs, I see....

Notes for BIND 9.16.7

New Features

  • Log when named adds a CDS/CDNSKEY to the zone. [GL #1748]

------------------------------------------------------------------------------------------------------------

I'm running Gentoo - and the newest version of BIND in the repository is bind-9.16.6-r3
Should I not be running what is one version away from the Current-Stable version?

The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" record.

I totally agree with ...

> There must only be the delete cds/cdnskey records and not any other cds/cdnskey records.
> Publish and delete instructions at the same time is not consistent.

I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.

Still - what does one correctly enter into a text based zone?

The text zone currently looks like...

$TTL 3600
@        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
            2020100404    ; Serial number
            3600        ; Refresh, 86400=1 day, 3600=1 hr
            1800        ; Retry after 30 mins
            604800        ; Expire after 7 days
            1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins

@        IN    A    192.96.24.5
@        IN    AAAA    2001:42a0::5
@        IN    NS    control.vweb.co.za.
@        IN    NS    secdns1.posix.co.za.
@        IN    CDS    0 0 0 00

www        IN    A    192.96.24.5
www        IN    AAAA    2001:42a0::5


On 2020/10/04 15:02, Mark Andrews wrote:
Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins [hidden email] wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
            SystemsVCARD
            for MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
          SystemsVCARD for
          MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"? *** SOLVED ***

Mark Elkins

Ugg... typo's

Please read that as....

So the correct format to add a "Please delete all DS records for my domain" is "CDS 0 0 0 00".

On 2020/10/04 19:12, Mark Elkins wrote:

Did some more Googling....

So the correct format to add a "Please delete all CD records for my domain" is "CDC 0 0 0 00".

However, in order to get BIND to accept this, you also have to have a working DNSKEY (KSK) key in the Zone... that's really intuitive!
To reduce code changes in my system - I also have a ZSK.
Of course there must be no other CDS keys in the zone - in spite of one normally doing that when one creates a KSK...

(Thinking about pushing the Start button to stop the machine - then again, I run Linux)

On 2020/10/04 15:45, Mark Elkins wrote:

Thanks for answering on a Sunday,

Umm...

I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem to be very old.

In the update logs, I see....

Notes for BIND 9.16.7

New Features

  • Log when named adds a CDS/CDNSKEY to the zone. [GL #1748]

------------------------------------------------------------------------------------------------------------

I'm running Gentoo - and the newest version of BIND in the repository is bind-9.16.6-r3
Should I not be running what is one version away from the Current-Stable version?

The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" record.

I totally agree with ...

> There must only be the delete cds/cdnskey records and not any other cds/cdnskey records.
> Publish and delete instructions at the same time is not consistent.

I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.

Still - what does one correctly enter into a text based zone?

The text zone currently looks like...

$TTL 3600
@        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
            2020100404    ; Serial number
            3600        ; Refresh, 86400=1 day, 3600=1 hr
            1800        ; Retry after 30 mins
            604800        ; Expire after 7 days
            1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins

@        IN    A    192.96.24.5
@        IN    AAAA    2001:42a0::5
@        IN    NS    control.vweb.co.za.
@        IN    NS    secdns1.posix.co.za.
@        IN    CDS    0 0 0 00

www        IN    A    192.96.24.5
www        IN    AAAA    2001:42a0::5


On 2020/10/04 15:02, Mark Andrews wrote:
Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins [hidden email] wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
              SystemsVCARD
              for MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
            SystemsVCARD
            for MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
          SystemsVCARD for
          MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: How do I insert "CDS 0 0 0 0"? *** SOLVED ***

Bind-Users forum mailing list

I wonder if there is some fundamental confusion regarding the purpose of CDS/CDNSKEY if it comes across as unintuitive that you need a fully operational signed zone, including relevant DNSKEY records.

There might be room for improvement regarding what happened when this requirement was not fulfilled (your description does not say what exactly happened), but it's a scenario where the CDS/CDNSKEY signalling cannot work:

CDS/CDNSKEY signals to the registry what the next entry point DNSKEY (KSK/CSK) will be for an already signed zone.

In order for CDS/CDNSKEY to be trustable and serve any purpose, the zone must currently be signed and validate properly, including the signature for that CDS/CDNSKEY record.

"CDS 0 0 0 00" is no exception. The use-case for this "null" CDS record is: my zone is currently signed and working, but I am for whatever reason planning to stop signing the zone soon.

If something is broken in terms of signing, CDS is probably not what you are looking for. (Either recover the breakage on your end or manage the DS records out of band, like via a registrar control panel or API.)

If the zone was not signed in the first place, CDS serves no purpose.


Best regards,
Håkan Lindqvist

On 10/4/2020 7:19 PM, Mark Elkins wrote:

Ugg... typo's

Please read that as....

So the correct format to add a "Please delete all DS records for my domain" is "CDS 0 0 0 00".

On 2020/10/04 19:12, Mark Elkins wrote:

Did some more Googling....

So the correct format to add a "Please delete all CD records for my domain" is "CDC 0 0 0 00".

However, in order to get BIND to accept this, you also have to have a working DNSKEY (KSK) key in the Zone... that's really intuitive!
To reduce code changes in my system - I also have a ZSK.
Of course there must be no other CDS keys in the zone - in spite of one normally doing that when one creates a KSK...

(Thinking about pushing the Start button to stop the machine - then again, I run Linux)

On 2020/10/04 15:45, Mark Elkins wrote:

Thanks for answering on a Sunday,

Umm...

I'm using BIND 9.16.6 and although 9.16.7 is out - 9.16.6 doesn't seem to be very old.

In the update logs, I see....

Notes for BIND 9.16.7

New Features

  • Log when named adds a CDS/CDNSKEY to the zone. [GL #1748]

------------------------------------------------------------------------------------------------------------

I'm running Gentoo - and the newest version of BIND in the repository is bind-9.16.6-r3
Should I not be running what is one version away from the Current-Stable version?

The ONLY DNSSEC type record I have in this zone is the "CDS 0 0 0 0" record.

I totally agree with ...

> There must only be the delete cds/cdnskey records and not any other cds/cdnskey records.
> Publish and delete instructions at the same time is not consistent.

I'm also not surprised that NET_DNS2 is wrong. Have emailed the author.

Still - what does one correctly enter into a text based zone?

The text zone currently looks like...

$TTL 3600
@        IN    SOA    control.vweb.co.za. dns-admin.posix.co.za. (
            2020100404    ; Serial number
            3600        ; Refresh, 86400=1 day, 3600=1 hr
            1800        ; Retry after 30 mins
            604800        ; Expire after 7 days
            1800 )        ; Negative TTL, 21600=6 hrs, 1800=30 mins

@        IN    A    192.96.24.5
@        IN    AAAA    2001:42a0::5
@        IN    NS    control.vweb.co.za.
@        IN    NS    secdns1.posix.co.za.
@        IN    CDS    0 0 0 00

www        IN    A    192.96.24.5
www        IN    AAAA    2001:42a0::5


On 2020/10/04 15:02, Mark Andrews wrote:
Use up to date software. 

-- 
Mark Andrews

On 4 Oct 2020, at 23:48, Mark Elkins [hidden email] wrote:

 What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND.
Version - BIND 9.16.6 (Stable Release)
I've read RFC8070 - which says...  (https://tools.ietf.org/html/rfc8078)
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
   contain the exact fields as shown below.

      CDS 0 0 0 0

      CDNSKEY 0 3 0 0

In Knot docs... https://ripe75.ripe.net/presentations/123-CDNSKEY-FRED-KNOT-RIPE75.pdf
it says...

DS deletion via "CDNSKEY 0 3 0 AA==" or "CDS 0 0 0 00" must be done manually

In https://www.nic.ch/export/shared/.content/files/SWITCH_CDS_Manual_en.pdf it says...

A child zone can also signal to turn off DNSSEC by removing the DS record set in the parent zone.
In this case, the operator may publish a special CDS record which must exactly match:
CDS 0 0 0 00


I have a zone called "nodnssec.edu.za".

In a text zone - if I add:-

CDS     0 0 0 0

I get:-   (from running: /usr/sbin/named-checkconf -z /etc/bind/named.conf | grep nodnssec)

_default/nodnssec.edu.za/IN: bad hex encoding
dns_rdata_fromtext: db.nodnssec.edu.za:17: near eol: bad hex encoding
zone nodnssec.edu.za/IN: loading from master file db.nodnssec.edu.za failed: bad hex encoding
zone nodnssec.edu.za/IN: not loaded due to errors.

CDS     0 0 0 00   gives me....

_default/nodnssec.edu.za/IN: bad CDS
zone nodnssec.edu.za/IN: CDS/CDNSKEY consistency checks failed
zone nodnssec.edu.za/IN: not loaded due to errors.

I've also tried a null string - CDS     0 0 0 ""    - no joy.

So what should I add?

I've seen a record hosted by Cloudflare.... for revolution.edu.za, DIG shows that as "CDS     0 0 0 00" and the NET_DNS2 software shows it as...  "CDS     0 0 0 " (no digest at all).




--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
                SystemsVCARD for
                MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
              SystemsVCARD for MJ
              Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496" moz-do-not-send="true">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix SystemsVCARD for MJ
            Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users