Bug #10330
openBIND zone configuration displays wrong DS resource record with inline DNSSEC signing enabled
100%
Description
Hi everybody
The zone GUI for the BIND DNS server helpfully displays the DS resource records to transfer to the parent zone when inline DNSSEC signing is enabled. However, if one enables inline DNSSEC signing for both a zone and a child zone on the same server instance, the wrong DS resource records are displayed in the parent zone configuration GUI.
Steps to reproduce:
- Create a zone using the GUI, e.g. example.com, enable DNS inline-signing, save. --> DS records for example.com are displayed correctly in the GUI for zone example.com.
- Create a subzone using the GUI, e.g. sub1.example.com, enable DNS inline-signing, save. --> DS RRs for sub1.example.com are displayed correctly in the GUI for zone sub1.example.com.
- Edit parent zone (example.com) again, of just open and click "save" without any changes. --> Now the DS RRs for subzone sub1.example.com are wrongly displayed in the GUI for parent zone example.com.
I verified that this is a display problem "only". Asking the server for DNSKEY RRs for the zones example.com and sub1.example.com returns the correct DNSKEY RRs for these zones. The public keys returned from a DNS query were compared to the keys living in /cf/named/etc/namedb/keys on pfSense and they match.
Maybe interesting/important background: My parent zone (example.com) only contains delegation entries to the subzones, i.e. NS RRs delegating to the authoritative name servers for the subzones which happen to have the same A and AAAA RRs as the server for the parent zone, as indicated by the glue records. I chose this setup to be able to easily move subzones to a different/dedicated authoritative server at a later date.
Here is how the zone file for my parent zone looks like:
$TTL 300 $ORIGIN example.com. example.com. IN SOA ns.example.com. zoneadmin.example.com. ( 013 ; serial 1h ; refresh 2h ; retry 10w ; expire 1h ; default_ttl ) @ IN NS ns.example.com. ns IN A 192.168.77.1 ns IN AAAA fd00:192:168:77::f:1 sub1 IN NS ns.sub1.example.com. ns.sub1 IN A 192.168.77.1 ns.sub1 IN AAAA fd00:192:168:77::f:1 sub2 IN NS ns.sub2.example.com. ns.sub2 IN A 192.168.77.1 ns.sub2 IN AAAA fd00:192:168:77::f:1 sub3 IN NS ns.sub3.example.com. ns.sub3 IN A 192.168.77.1 ns.sub3 IN AAAA fd00:192:168:77::f:1
Updated by Viktor Gurov over 4 years ago
- Affected Version deleted (
2.2.4)
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!