Bug #46251 for bind9-public: Automated trust anchor updates may be delayed due to cached RRsets

Report information

The Basics

Id:

46251

Status:

resolved

Priority:

Low/Low

Queue:

bind9-public

People

Owner:

Michał Kępień <michal@isc.org>

Requestors:

Michał Kępień <michal@isc.org>

Cc:

AdminCc:

BugTracker

Version Fixed:

9.12.0, 9.11.3, 9.10.7, 9.9.12

Version Found:

(no value)

Versions Affected:

(no value)

Versions Planned:

(no value)

Priority:

P1 High

Severity:

S1 High

CVSS Score:

(no value)

CVE ID:

(no value)

Component:

BIND Server

Area:

bug

Dates

Created:	Wed, 11 Oct 2017 07:10:08 -0400
Updated:	Wed, 11 Oct 2017 17:29:14 -0400
Closed:	Wed, 11 Oct 2017 17:29:14 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History

Wed, 11 Oct 2017 07:10:10 -0400 Michał Kępień <michal@isc.org> - Ticket created

To:	bind9-public@isc.org
From:	michal@isc.org
Date:	Wed, 11 Oct 2017 13:10:07 +0200
Subject:	Automated trust anchor updates may be delayed due to cached RRsets

named ignores a DNSKEY RRset received in an RFC 5011 refresh response if there is a non-expired, validated version of that DNSKEY RRset available in the cache. In other words, any changes published on the authoritative servers for a given trust point (e.g. adding new keys, revoking ones already published) are not acted upon by named until the TTL of the relevant cache entry expires.

Wed, 11 Oct 2017 07:23:41 -0400 Michał Kępień <michal@isc.org> - Correspondence added

Branch rt46251 fixes this issue by forcing the fetched DNSKEY RRset to replace the cached one despite having a lower trust level assigned. Please review. mkeys system test will be fixed in RT #45293.

Wed, 11 Oct 2017 07:23:42 -0400 Michał Kępień <michal@isc.org> - Status changed from 'open' to 'review'

Wed, 11 Oct 2017 07:23:42 -0400 Michał Kępień <michal@isc.org> - Untaken

Wed, 11 Oct 2017 09:35:50 -0400 Michał Kępień <michal@isc.org> - Dependency by #45293: mkeys system test fails added

Wed, 11 Oct 2017 13:12:15 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Looks fine.

Wed, 11 Oct 2017 13:15:47 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Michał Kępień <michal@isc.org>

Wed, 11 Oct 2017 17:29:14 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Because I'd really like to have this fix in the beta and code freeze is today, I've taken the liberty of merging this. 4771. [bug] When sending RFC 5011 refresh queries, disregard cached DNSKEY rrsets. [RT #46251] 9.12.0, 9.11.3, 9.10.7, 9.9.12

Wed, 11 Oct 2017 17:29:14 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'resolved'

Wed, 11 Oct 2017 17:29:14 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0, 9.11.3, 9.10.7, 9.9.12 added