trouble with dnssec signed zone on secondary.

Thu Jan 6 08:51:31 UTC 2005

[Quoting =?ISO-8859-1?Q?M=E5ns_Nilsson?=, on Jan  6,  2:13, in "trouble with dnssec  ..."]
...
> This is only somewhat related to nsd, but someone else must have hit it.=20
> I am having trouble AXFRing a signed zone -- named-xfer v.latest does not
> recognise the file format and writes a zone file that zonec barfs on.=20

Yes, this is a known problem of BIND-8.

There is a fix (appended) to prevent the BIND-8 named-xfer writing
out a zonefile with syntax errors, but this will still not produce
the correct DNSSEC zonefile, because BIND-8 does not understand the
special handling of the DS.

We have an NSD version of named-xfer, but it is not yet released (it
will soon be after quality assurance checks).

Regards,
-- ted

PS. the reply from Mark Andrews on my bug report containing a ix.

Subject: Re: [ISC-Bugs #12674] AXFR error: failure on ignoring multiple line RRs
From: "Mark Andrews via RT" <bind8-bugs at isc.org>
Reply-To: bind8-bugs at isc.org
In-Reply-To: <rt-12674 at ISC-Bugs>
X-RT-Loop-Prevention: ISC-Bugs
RT-Ticket: ISC-Bugs #12674
Managed-by: RT 2.0.15 (http://bestpractical.com/rt/)
RT-Originator: Mark_Andrews at isc.org
To: ted at NLnetLabs.nl
Date: Thu, 30 Sep 2004 00:48:42 +0000 (UTC)



> (Jakob Schlyter is Cc-ed because of his work on
> interoperability after the typecode rollover).

	Firstly one really shouldn't attempt to use DNSSECbis
	unless *all* the servers for the zone are DNSSECbis aware.

	I'm tempted to leave this here just so that the zone transfer
	fails.

	That being said I feel the following patch is cleaner.

	Mark

Index: named-xfer.c
===================================================================
RCS file: /proj/cvs/prod/bind8/src/bin/named-xfer/named-xfer.c,v
retrieving revision 8.144
diff -u -r8.144 named-xfer.c

--- named-xfer.c	27 Aug 2004 00:23:16 -0000	8.144
+++ named-xfer.c	30 Sep 2004 00:40:10 -0000
@@ -3087,6 +3087,8 @@
 			fputs(" ( ", dbfp);
 			isc_puthexstring(dbfp, cp1, n,
 					 (longname ? 28 : 40), 48,
+					 (ignore[0] == ';') ?
+					 "\n;\t\t\t\t" :
 					 "\n\t\t\t\t");
 			fputs(" )\n", dbfp);
 		} else


