To: bind9-confidential@isc.org
Date: Fri, 28 Jul 2017 11:14:21 +1000
References: <RT-Ticket-45629@isc.org> <alpine.DEB.2.11.1707271834440.30284@grey.csi.cam.ac.uk> <rt-4.4.1-98209-1501179724-1152.45629-3-0@isc.org>
In-Reply-To: Your message of "Thu, 27 Jul 2017 18:22:04 +0000." <rt-4.4.1-98209-1501179724-1152.45629-3-0@isc.org>
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1
From marka@isc.org  Fri Jul 28 01:14:28 2017
Subject: Re: [ISC-Bugs #45629] when update add CDS is REFUSED
X-Original-To: bind9-confidential@bugs.isc.org
Message-ID: <20170728011421.874A5802ED01@rock.dv.isc.org>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.ams1.isc.org
X-RT-Interface: Email
Delivered-To: bind9-confidential@bugs.isc.org
From: "Mark Andrews" <marka@isc.org>
X-RT-Incoming-Encryption: Not encrypted
content-type: text/plain; charset="utf-8"
Return-Path: <marka@isc.org>
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mx.ams1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 986E6D78ACE for <bind9-confidential@bugs.isc.org>; Fri, 28 Jul 2017 01:14:28 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 4219024AE10 for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 01:14:19 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 14091160067 for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 01:14:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id F39D9160053 for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 01:14:23 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6VbXD40bWgnZ for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 01:14:23 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id AF144160036 for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 01:14:23 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 874A5802ED01 for <bind9-confidential@isc.org>; Fri, 28 Jul 2017 11:14:21 +1000 (AEST)
X-RT-Original-Encoding: utf-8
RT-Message-ID: <rt-4.4.1-1127-1501204469-1313.45629-0-0@isc.org>
Content-Length: 650


With inline signing DNSSEC records (other than DS) are modified by
other paths than using UPDATE.   I would be using these mechanisms
instead of UPDATE even with normal signed zones.

dnssec-settime and dnssec-keygen

       -P sync date/offset
           Sets the date on which CDS and CDNSKEY records that match this key
           are to be published to the zone.

       -D sync date/offset
           Sets the date on which the CDS and CDNSKEY records that match this
           key are to be deleted.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org