Report information
The Basics
Id:
43670
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
9.9.12, 9.9.12(sub), 9.10.7, 9.10.7(sub), 9.11.3, 9.11.3(sub), 9.12.1, 9.13.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
feature
Dates
Created:Wed, 16 Nov 2016 22:46:33 -0500
Updated:Thu, 08 Feb 2018 23:59:35 -0500
Closed:Thu, 08 Feb 2018 23:59:35 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 16 Nov 2016 22:46:33 -0500 Mukund Sivaraman <muks@isc.org> - Ticket created
Subject: Warn on seeing trusted-keys option in config

Warren Kumari asked today (IETF meeting) that we warn whenever we notice a trusted-keys option in config, that it is a fixed trust anchor and that users should ideally be using managed-keys. I asked him (and Jim Martin who was sitting next to him) if he expected BIND to warn just for the root or for any trust point and he said it should be any. From a previous discussion at ICANN with him, I think he fears that many BIND tutorials from history have described using trusted-keys, and so, many users have resolvers setup with use trusted-keys in config.
  Wed, 16 Nov 2016 22:56:56 -0500 Mark Andrews <marka@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config
Date: Thu, 17 Nov 2016 14:56:44 +1100
To: bind9-bugs@isc.org
From: "Mark Andrews" <marka@isc.org>

In message <rt-4.2.8-6373-1479354393-1893.43670-3-0@isc.org>, "Mukund Sivaraman via RT" writes: > Warren Kumari asked today (IETF meeting) that we warn whenever we notice a tr > usted-keys option in config, that it is a fixed trust anchor and that users s > hould ideally be using managed-keys. > > I asked him (and Jim Martin who was sitting next to him) if he expected BIND > to warn just for the root or for any trust point and he said it should be any > . > > From a previous discussion at ICANN with him, I think he fears that many BIN > D tutorials from history have described using trusted-keys, and so, many user > s have resolvers setup with use trusted-keys in config. managed-keys are for keys where the adminstrator has stated they they are using RFC 5011. I know of exactly two of these. The root and dlv.isc.org. Warning for "." and "dlv.isc.org" when they match the built-in managed keys would be appropriate. Warning for keys in both trusted-keys and managed-key would be appropriate. Anything else should not be flagged. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Wed, 16 Nov 2016 22:56:57 -0500 The RT System itself - Status changed from 'new' to 'open'
Mon, 28 Nov 2016 14:14:34 -0500 Stephen Morris <stephen@isc.org> - Priority P2 Normal added
Mon, 28 Nov 2016 14:14:34 -0500 Stephen Morris <stephen@isc.org> - Severity S2 Normal added
Mon, 28 Nov 2016 14:14:35 -0500 Stephen Morris <stephen@isc.org> - Area feature added
Mon, 28 Nov 2016 14:14:35 -0500 Stephen Morris <stephen@isc.org> - Component BIND Server added
  Thu, 08 Feb 2018 14:10:07 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
Date: Fri, 9 Feb 2018 00:39:57 +0530
Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config
From: "Mukund Sivaraman" <muks@isc.org>
To: "Mark Andrews via RT" <bind9-bugs@isc.org>

On Thu, Nov 17, 2016 at 03:56:57AM +0000, Mark Andrews via RT wrote: > Warning for "." and "dlv.isc.org" when they match the built-in > managed keys would be appropriate. Somehow this ticket seems to have dropped off the radar. Please review rt43670. Mukund
Thu, 08 Feb 2018 14:10:19 -0500 Mukund Sivaraman <muks@isc.org> - Status changed from 'open' to 'review'
  Thu, 08 Feb 2018 17:08:31 -0500 Mark Andrews <marka@isc.org> - Correspondence added

On Thu Feb 08 09:10:07 2018, muks wrote: > On Thu, Nov 17, 2016 at 03:56:57AM +0000, Mark Andrews via RT wrote: > > Warning for "." and "dlv.isc.org" when they match the built-in > > managed keys would be appropriate. > > Somehow this ticket seems to have dropped off the radar. > > Please review rt43670. > > Mukund > No!!! Named is used in private networks where trusted-keys for the root is perfectly appropriate. dlv.isc.org already has plenty of warnings. A warning for a trusted-key for "." which matches the to be removed key without the added key already being present would be the point where I would issue a warning. Anything else is going to generate noise or is us enforcing our policy ideas on the operator. Also all this code should be bin lib/bind9/check.c
Thu, 08 Feb 2018 17:22:06 -0500 Mark Andrews <marka@isc.org> - Taken
  Thu, 08 Feb 2018 18:40:59 -0500 Mark Andrews <marka@isc.org> - Correspondence added

check the specific keys we are worried about. moved the checks to libbind so than named-checkconf issues warnings. ready for review
Thu, 08 Feb 2018 18:41:00 -0500 Mark Andrews <marka@isc.org> - Untaken
  Thu, 08 Feb 2018 19:22:09 -0500 Evan Hunt <each@isc.org> - Correspondence added
To: "Mark Andrews via RT" <bind9-confidential@isc.org>
Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config
CC:
Date: Fri, 9 Feb 2018 00:22:07 +0000
From: "Evan Hunt" <each@isc.org>

> ready for review I think it might be a good idea for KSK2010 trusted-key, without any other keys, to be fatal instead of a warning. As a managed-key can be a warning. Maybe add a suggestion to remove it from named.conf and rely on bind.keys? I would consider being more verbose in the DLV warnings and saying ISC DLV is shut down. The code itself is fine.
  Thu, 08 Feb 2018 19:25:29 -0500 Mark Andrews <marka@isc.org> - Correspondence added

On Thu Feb 08 14:22:09 2018, each@isc.org wrote: > > ready for review > > I think it might be a good idea for KSK2010 trusted-key, without any other > keys, to be fatal instead of a warning. That would be us defining policy that should belong to the operator. > As a managed-key can be a warning. > Maybe add a suggestion to remove it from named.conf and rely on bind.keys? > > I would consider being more verbose in the DLV warnings and saying ISC DLV > is shut down. > > The code itself is fine. >
Thu, 08 Feb 2018 21:13:54 -0500 Mark Andrews <marka@isc.org> - Version Fixed 9.9.12,9.9.12(sub),9.10.7,9.10.7(sub),9.11.3,9.11.3(sub),9.12.1,9.13.0 added
  Thu, 08 Feb 2018 21:13:56 -0500 Mark Andrews <marka@isc.org> - Correspondence added

4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
Thu, 08 Feb 2018 21:14:00 -0500 Mark Andrews <marka@isc.org> - Status changed from 'review' to 'resolved'
Thu, 08 Feb 2018 21:14:00 -0500 Mark Andrews <marka@isc.org> - Queue changed from #6 to bind9-public
Thu, 08 Feb 2018 21:22:48 -0500 Mark Andrews <marka@isc.org> - Version Fixed 9.9.12,9.9.12(sub),9.10.7,9.10.7(sub),9.11.3,9.11.3(sub),9.12.1,9.13.0 changed to 9.9.12, 9.9.12(sub), 9.10.7, 9.10.7(sub), 9.11.3, 9.11.3(sub), 9.12.1, 9.13.0
  Thu, 08 Feb 2018 23:36:22 -0500 Mukund Sivaraman <muks@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config
To: "Mark Andrews via RT" <bind9-confidential@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Date: Fri, 9 Feb 2018 10:06:07 +0530

On Thu, Feb 08, 2018 at 10:08:32PM +0000, Mark Andrews via RT wrote: > On Thu Feb 08 09:10:07 2018, muks wrote: > > On Thu, Nov 17, 2016 at 03:56:57AM +0000, Mark Andrews via RT wrote: > > > Warning for "." and "dlv.isc.org" when they match the built-in > > > managed keys would be appropriate. > > > > Somehow this ticket seems to have dropped off the radar. > > > > Please review rt43670. > > > > Mukund > > > > No!!! Named is used in private networks where trusted-keys for the root > is perfectly appropriate. > > dlv.isc.org already has plenty of warnings. > > A warning for a trusted-key for "." which matches the to be removed > key without the added key already being present would be the point > where I would issue a warning. Anything else is going to generate > noise or is us enforcing our policy ideas on the operator. > > Also all this code should be bin lib/bind9/check.c OK. I checked the code that was merged and it looks like a better way to handle it. Mukund
Thu, 08 Feb 2018 23:36:26 -0500 The RT System itself - Status changed from 'resolved' to 'open'
Thu, 08 Feb 2018 23:59:35 -0500 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'