trouble with dnssec signed zone on secondary.

Mans_Nilsson1 · January 6, 2005, 1:11am

Hi,

This is only somewhat related to nsd, but someone else must have hit it.
I am having trouble AXFRing a signed zone -- named-xfer v.latest does not
recognise the file format and writes a zone file that zonec barfs on.

This is what is written:

; BIND version named 8.4.5-REL Wed Jan 5 19:58:17 MET 2005
; BIND version mansaxel@foot.snowman.sunet.se:/local/src/bind8/src/bin/named
; zone 'se' first transfer
; from [212.247.7.226].53 (local [130.242.94.50].33741) using AXFR at Thu
Jan 6 01:13:59 2005
; TSIG verified: key xfer-sunet.tsig.ns.se..
$ORIGIN .
se 3600 IN SOA dnssec.nic.se. dnssec-registry.nic-se.se. (
2005010518 7200 3600 2419200 7200 )
3600 IN TYPE46 \# 86 (
0006050100000e1041e5512241dc16a285ac0273

65009256304e04d767b1f91e8887e4b675dd471d66a0404d

c1049c17996d4b0d5c80157322e66c44e9ff5e7f5822db53
                                400884b69bd899671c34dba12311e30ca5cc )
        3600 IN NS dnssec-1.ns.se.
        3600 IN NS dnssec-2.ns.se.
        3600 IN NS dnssec-5.ns.se.
        3600 IN NS dnssec-6.ns.se.
        3600 IN TYPE46 \# 86 (
0002050100000e1041e3109241d9d61285ac0273

650051e77ca6b64c030ec5f9b8124515c4883329b77c27fc

88a58519e91f81e37177317799b91d50863b5dada34e132b
                                064ae71b2f84499bd9abebdecf4c99317f6a )
        3600 IN TXT
"<http://www.nic-se.se/domaner/ompekning.shtml>"
        3600 IN TXT "Read instructions before sending requests
of update"
        3600 IN TYPE46 \# 86 (
0010050100000e1041e3109241d9d61285ac0273

6500247f32e69ba86f1d32e800112cac6869fe50c9924c1b

30fa5f74a05b0f2b9b7d88aae0ca0bf8e44e119dd2d7dc82
                                bb09bae1f898def4f177f61dcc6269887888 )
        7200 IN TYPE47 \# 27 (
0d30303338356b726f617469656e027365000007
                                22008000000380 )
        7200 IN TYPE46 \# 86 (
002f050100001c2041e3109241d9d61285ac0273

6500a5484993c2d65c63766aa72e446e47f8ec40f0ed8ce2

0181f02492fafdfe0fd695b26a510ffa0c3d5cce90e618f3
c3f85c198d2b81c703d82bdcbe8e7c46437c )
3600 IN TYPE48 \# 70 (
010003050103baccdb8ee97a7cbf97834dd7b71e

1d15011f71a3e98e50bc5e02ac0c12907346d64944dda0e6

add2ff3c37b037971ca4bfeee9e7879298531bf36999791c
d01d )
3600 IN TYPE48 \# 70 (
010003050103bcdb90e4b0390922098086851ee4

17a1ad213eb57699f89506c584baa166a36e8c6fb492d001

e6135d3fbd6480142c840c70ad0e3dd781ad749bb9a59622
ad01 )
3600 IN TYPE48 \# 134 (
0101030501039f60682c22ac957844be27d25643

fc5974af76b1954ddad4d79497839b90e0210334a9fbc2dc

277a4f7ba71d07fba5342ff217f7a8fff9d3214456db6218

f54be1cb66dca1616b26c91b3ff5fc01a409daa618fca601

c555bdd048082c75eb982eb12b0ae5f17bd23f999baaf834
1b0533252220f2e23242873d0136a560cc2f )
3600 IN TYPE46 \# 150 (
0030050100000e1041e3109241d9d61259610273

650099fb69877c598595ea408696721c323faa86978e6b12

700d908b32c5c0d268c2cf0b9a85ac5a4db30028b4ef0d22

52fd591f0ce7221d222b9d14da6d475e6d98bdd9f6bd42ed

0dfe317352dad1689cb18d5fd100a80f2298091e9105e6b0

cf7d2dacf9f861deeea0ea58bf89e583b93fc561e584fff4
7e9a7bb5071a5ef15e92 )
3600 IN TYPE46 \# 86 (
0030050100000e1041e3109241d9d61285ac0273

65003a260306e08b66f013a2c5c34aeacb141f94e786b737

9c7d2f771c947ffb18f126c6da42fcb0046d417d657e28a9
                                cc218204fe9ca265e729ce3bdd6dd6e58d91 )
$ORIGIN se.
00385kroatien 3600 IN NS ns1.surf-town.net.
        3600 IN NS ns2.surf-town.net.
        3600 IN NS ns3.surf-town.net.
; Ignoring extra info about 00385kroatien.se, invalid after NS delegation.
; 7200 IN TYPE47 \# 19 (
06303037746132027365000006200000000003 )
; Ignoring extra info about 00385kroatien.se, invalid after NS delegation.
; 7200 IN TYPE46 \# 86 (
002f050200001c2041e3109241d9d61285ac0273

650053a108f27f7368a2413266a450cdf52a0627a46da90a

ec18d743991acbbea051eacea609b0b5ffb256740673f305
                                312e3f5b1a174535b1f76563649b89e6c636 )
$ORIGIN se.
007ta2 3600 IN NS ns1.b-one.nu.
        3600 IN NS ns2.b-one.nu.
; Ignoring extra info about 007ta2.se, invalid after NS delegation.
; 7200 IN TYPE47 \# 24 (
0b3030383030696e6b6a65740273650000062000
                                00000003 )
; Ignoring extra info about 007ta2.se, invalid after NS delegation.
; 7200 IN TYPE46 \# 86 (
002f050200001c2041e3109241d9d61285ac0273

650008e4b4a54dc37ab227513dd8ae347a08b50a1cf17328

a1880ae3e7dfa29c4ba28a76dbe2bd46bb6fd741bd377d65
9dce6a90ce15bac7e415817c3ba8a04dbb60 )
<snip>
And this is the debug output from zonec:
(ignore the axfr issues -- they are known and fixed..)

foot#/usr/local/sbin/nsdc update
Warning: AXFR for se failed
zone se needs rebuilding...
rebuilding the database....
zonec: reading zone "se".
ERR: Line 66 in secondary/se: Unrecognized RR type
'650053a108f27f7368a2413266a450cdf52a0627a46da90a'
ERR: Line 67 in secondary/se: Unrecognized RR type
'ec18d743991acbbea051eacea609b0b5ffb256740673f305'
ERR: Line 68 in secondary/se: Unterminated parentheses
zonec: processed 20 RRs in "se".

zonec: done with 3 errors.
/etc/nsd/nsd.db is unmodified

The errors are quite obvious; named-xfer does not correctly comment out
records it does not understand; but how do I get a named-xfer that will
fetch the data correctly (and not complain about rren 47 and 46 above
delegation) for zonec to compile?

Regards,

Ted_Lindgreen · January 6, 2005, 8:51am

[Quoting =?ISO-8859-1?Q?M=E5ns_Nilsson?=, on Jan 6, 2:13, in "trouble with dnssec ..."]
...

This is only somewhat related to nsd, but someone else must have hit it.=20
I am having trouble AXFRing a signed zone -- named-xfer v.latest does not
recognise the file format and writes a zone file that zonec barfs on.=20

Yes, this is a known problem of BIND-8.

There is a fix (appended) to prevent the BIND-8 named-xfer writing
out a zonefile with syntax errors, but this will still not produce
the correct DNSSEC zonefile, because BIND-8 does not understand the
special handling of the DS.

We have an NSD version of named-xfer, but it is not yet released (it
will soon be after quality assurance checks).

Regards,
-- ted

PS. the reply from Mark Andrews on my bug report containing a ix.

Mans_Nilsson1 · January 6, 2005, 11:28am

Thanks for the confirmation of my suspicions,

Regards,