Report information
The Basics
Id:
46252
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cathy Almond <cathya@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
9.11.2
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
feature
Dates
Created:Wed, 11 Oct 2017 12:38:45 -0400
Updated:Sat, 14 Oct 2017 16:21:32 -0400
Closed:Sat, 14 Oct 2017 16:21:32 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 11 Oct 2017 12:38:46 -0400 Cathy Almond <cathya@isc.org> - Ticket created
To: bind9-public@isc.org
From: cathya@isc.org
Subject: BIND inline un-signer for scrubbing DNSSEC material when slaving a signed zone
Date: Wed, 11 Oct 2017 16:38:45 +0000

The use case for this is the need to strip out old DNSSEC material when transitioning a DNSSEC-signed zone between providers - specifically to be able to scrub DNSSEC records from a zone that is being slaved from an external master
Wed, 11 Oct 2017 12:39:20 -0400 Cathy Almond <cathya@isc.org> - Reference to https://support.isc.org/Ticket/Display.html?id=12015 added
Wed, 11 Oct 2017 12:56:43 -0400 Cathy Almond <cathya@isc.org> - Reference to https://support.isc.org/Ticket/Display.html?id=10197 added
  Thu, 12 Oct 2017 18:41:54 -0400 Mark Andrews <marka@isc.org> - Correspondence added

I fail to see why this is needed at all. Remove the DS records from the parent zone and it doesn't matter if there are DNSSEC records in the zone as there is no longer a chain of trust. This is the first step in the process of unsigning a zone. The inline signer without any keys configured for the zone will achieve this but it shouldn't be necessary.
Thu, 12 Oct 2017 18:41:55 -0400 The RT System itself - Status changed from 'new' to 'open'
  Fri, 13 Oct 2017 11:47:58 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

On Thu Oct 12 22:41:54 2017, marka wrote: > I fail to see why this is needed at all. Remove the DS records from > the parent zone > and it doesn't matter if there are DNSSEC records in the zone as there > is no longer > a chain of trust. This is the first step in the process of unsigning > a zone. The use case in this instance, is the need to import a signed zone from a third party via zone transfer, and to strip out the other party's DNSSEC material from the zone. The zone will then be signed again locally, but using a dnssec-signing tool rather than BIND's inline signing (which would otherwise have handled this very well!) > The inline signer without any keys configured for the zone will > achieve this but it > shouldn't be necessary. Are you suggesting that if you import an already-signed zone with "inline-signing yes;" but without providing keys to the inline signer that named will un-sign the zone without erroring over the lack of keys? Yes, this is what's wanted and should be quite easy for BIND to do, but I think it does not do it now.
  Sat, 14 Oct 2017 16:21:31 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

I suggested this to the fella at OARC, but I wasn't sure at the time that it would work, and now I've confirmed that it does: the inline signing code will strip DNSSEC content and serve an un-signed zone, if you use it without configuring a local key: zone example.com { type slave; masters { <address>; }; allow-transfer { <addresses>; }; inline-signing yes; }; Note the lack of "auto-dnssec maintain", and no signing keys have been generated. This will set up a server as a bump-in-the-wire "unsigner" for example.com. Can someone get back to him with that information? And I'll resolve this ticket, as there's no work needed.
Sat, 14 Oct 2017 16:21:32 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'