Project

General

Profile

Actions
Copy link

Bug #10330

open

BIND zone configuration displays wrong DS resource record with inline DNSSEC signing enabled

Added by Andreas Grommek almost 5 years ago. Updated over 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
BIND
Target version:
-
Start date:
03/10/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

Hi everybody

The zone GUI for the BIND DNS server helpfully displays the DS resource records to transfer to the parent zone when inline DNSSEC signing is enabled. However, if one enables inline DNSSEC signing for both a zone and a child zone on the same server instance, the wrong DS resource records are displayed in the parent zone configuration GUI.

Steps to reproduce:

  1. Create a zone using the GUI, e.g. example.com, enable DNS inline-signing, save. --> DS records for example.com are displayed correctly in the GUI for zone example.com.
  2. Create a subzone using the GUI, e.g. sub1.example.com, enable DNS inline-signing, save. --> DS RRs for sub1.example.com are displayed correctly in the GUI for zone sub1.example.com.
  3. Edit parent zone (example.com) again, of just open and click "save" without any changes. --> Now the DS RRs for subzone sub1.example.com are wrongly displayed in the GUI for parent zone example.com.

I verified that this is a display problem "only". Asking the server for DNSKEY RRs for the zones example.com and sub1.example.com returns the correct DNSKEY RRs for these zones. The public keys returned from a DNS query were compared to the keys living in /cf/named/etc/namedb/keys on pfSense and they match.

Maybe interesting/important background: My parent zone (example.com) only contains delegation entries to the subzones, i.e. NS RRs delegating to the authoritative name servers for the subzones which happen to have the same A and AAAA RRs as the server for the parent zone, as indicated by the glue records. I chose this setup to be able to easily move subzones to a different/dedicated authoritative server at a later date.

Here is how the zone file for my parent zone looks like:

$TTL 300
$ORIGIN example.com.
example.com. IN  SOA ns.example.com. zoneadmin.example.com. (
        013 ; serial
        1h ; refresh
        2h ; retry
        10w ; expire
        1h ; default_ttl
        )

@         IN NS     ns.example.com.
ns        IN A      192.168.77.1
ns        IN AAAA   fd00:192:168:77::f:1

sub1      IN NS     ns.sub1.example.com.
ns.sub1   IN A      192.168.77.1
ns.sub1   IN AAAA   fd00:192:168:77::f:1

sub2      IN NS     ns.sub2.example.com.
ns.sub2   IN A      192.168.77.1
ns.sub2   IN AAAA   fd00:192:168:77::f:1

sub3      IN NS     ns.sub3.example.com.
ns.sub3   IN A      192.168.77.1
ns.sub3   IN AAAA   fd00:192:168:77::f:1
Actions
Copy link

Also available in: Atom PDF