MIME-Version: 1.0
Date: Thu, 27 Jul 2017 19:21:52 +0100
X-Cam-Scannerinfo: http://help.uis.cam.ac.uk/email-scanner-virus
Subject: when update add CDS is REFUSED
X-Original-To: bind9-confidential@bugs.isc.org
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
X-Cam-Antivirus: no malware found
Delivered-To: bind9-confidential@bugs.isc.org
From dot@dotat.at  Thu Jul 27 18:22:01 2017
To: bind9-bugs@isc.org
content-type: TEXT/PLAIN; charset="utf-8"
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 13943D78ACE for <bind9-confidential@bugs.isc.org>; Thu, 27 Jul 2017 18:22:01 +0000 (UTC)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B67D43496FB for <bind9-bugs@isc.org>; Thu, 27 Jul 2017 18:21:56 +0000 (UTC)
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:36224) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1danQ1-000Vz6-eT (Exim 4.89) (return-path <dot@dotat.at>); Thu, 27 Jul 2017 19:21:53 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
Return-Path: <dot@dotat.at>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.0
X-RT-Incoming-Encryption: Not encrypted
Message-ID: <alpine.DEB.2.11.1707271834440.30284@grey.csi.cam.ac.uk>
From: "Tony Finch" <dot@dotat.at>
CC: "Tony Finch" <dot@dotat.at>
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 3631

I've been trying to get a test setup for CDS/CDNSKEY and I've hit a snag...

I think (after the investigation below) this is a documentation bug - the
ARM should have a section on what you can't do with inline-signing zones
that you can do with UPDATE on non-inline signed zones.

I'm not entirely sure what those things are - I guess most of section 4.9
of the ARM? Instead you have to use dnssec-settime to configure the signer
and rndc for more fancy stuff (such as reloading keys, NSEC3 wrangling).
Except that you can still use `update del dnskey` to go insecure.

Confusing.


I have a signed zone...

2017-07-27.17:30:15.053 general: info: received control channel command 'sign fanf2.ucam.org in auth'
2017-07-27.17:30:15.053 general: info: zone fanf2.ucam.org/IN/auth (signed): reconfiguring zone keys
2017-07-27.17:30:15.070 general: info: zone fanf2.ucam.org/IN/auth (signed): next key event: 27-Jul-2017 18:30:15.053

I try adding a CDS record...

2017-07-27.17:30:24.315 update-security: info: client @0x7f824c136f10 127.0.0.1#7551/key local-ddns: view auth: update 'fanf2.ucam.org/IN' signer "local-ddns" allowed by ACL
2017-07-27.17:30:24.315 update: info: client @0x7f824c136f10 127.0.0.1#7551/key local-ddns: view auth: updating zone 'fanf2.ucam.org/IN': adding an RR at 'fanf2.ucam.org' CDS 15364 5 2 72675A4FFAD8BA229507BF48544E292CB04FCBEC1797A387B8B42B0A 18934AF7
2017-07-27.17:30:24.315 general: info: zone fanf2.ucam.org/IN/auth (unsigned): fanf no DNSKEY
2017-07-27.17:30:24.315 update: info: client @0x7f824c136f10 127.0.0.1#7551/key local-ddns: view auth: updating zone 'fanf2.ucam.org/IN': update rejected: bad CDS RRset

OK, something weird is going on. I added some debug logging (see below),
which is where the "fanf" log line came from. Somehow it thinks the zone
is unsigned?

Ah, but it's an inline-signing zone, and in ns_update_start() there's a comment:

	/*
	 * If there is a raw (unsigned) zone associated with this
	 * zone then it processes the UPDATE request.
	 */

which I think means most of the dnssec-update-related functionality will
be weirdly broken. For example, try adding a DNSKEY record and get a
SERVFAIL because:

2017-07-27.17:53:25.055 update: info: client @0x7f2c38161f60 127.0.0.1#11635/key local-ddns: view auth: updating zone 'fanf2.ucam.org/IN': adding an RR at 'fanf2.ucam.org' DNSKEY 257 3 5 [snip]
2017-07-27.17:53:25.055 general: warning: dns_dnssec_findzonekeys2: error reading (null)/Kfanf2.ucam.org.+005+15364.private: file not found
2017-07-27.17:53:25.055 update: error: client @0x7f2c38161f60 127.0.0.1#11635/key local-ddns: view auth: updating zone 'fanf2.ucam.org/IN': found no active private keys, unable to generate any signatures
2017-07-27.17:53:25.055 update: error: client @0x7f2c38161f60 127.0.0.1#11635/key local-ddns: view auth: updating zone 'fanf2.ucam.org/IN': RRSIG/NSEC/NSEC3 update failed: not found

Why is the key directory null? Well, looks like in zoneconf.c the setting
isn't copied to the raw version of the zone.

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -17915,6 +17915,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
 				     dns_rdatatype_none, 0, &dnskey, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_INFO, "fanf no DNSKEY");
 		if (dns_rdataset_isassociated(&cds))
 			result = DNS_R_BADCDS;
 		else

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Tyne, Dogger: South 4 or 5, veering southwest 5 or 6. Slight or moderate.
Thundery showers. Mainly good.