[Opendnssec-user] Version 1.4.7 IXFR problems

Sebastian Wiesinger sebastian at karotte.org
Mon Aug 10 12:06:09 UTC 2015 

Hello,

I noticed a problem with OpenDNSSEC 1.4.7 and IXFRs.

I have a zone configured in OpenDNSSEC that interacts with a BIND
server. OpenDNSSEC pulls the zone via IXFR and the BIND server
transfers the signed zone back, also via IXFR.

I noticed that when I only change the default TTL of the zone (via
$TTL statement) that the new TTL for the RRs is not transfered from
OpenDNSSEC back to BIND in the signed version of the zone via IXFR but
the RRSIG for the RR has the new TTL.

When I disable IXFRs for opendnssec in BIND the zone is transferred
with the correct TTLs. Also when I do a manual 'rndc retransfer
<zone>' it will fix the TTLs.

I reproduced this with two different zones.

Example Zone:
$TTL 1800
@       IN      SOA ns1.karotte.org. hostmaster.6v6.de. (
                106             ; Serial
                10800           ; Refresh
                3600            ; Retry
                2419200         ; Expire
                3600 )          ; Neg. TTL

        86400   NS   ns1.karotte.org.
        86400   NS   dns.noris.net.
        86400   NS   ns6.gandi.net.

sukzessiv       CNAME   upmbey4aer5jjkun.myfritz.net.

I now change the $TTL from 1800 to 2000.

When I AXFR the zone directly from OpenDNSSEC I get the right TTL for the
"sukzessiv" RR and the RRSIG:

sukzessiv.6v6.de.       2000    IN      CNAME   upmbey4aer5jjkun.myfritz.net.
sukzessiv.6v6.de.       2000    IN      RRSIG   CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=

When I do the same AXFR towards the BIND server that transmitted the
zone from OpenDNSSEC via IXFR I get:

sukzessiv.6v6.de.       2000    IN      RRSIG   CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=
sukzessiv.6v6.de.       1800    IN      CNAME   upmbey4aer5jjkun.myfritz.net.

Notice the old TTL of the CNAME.

When I now do a 'rndc retransfer 6v6.de IN default', which forces bind
to retransfer the whole zone, it has the correct TTL again:

sukzessiv.6v6.de.       2000    IN      RRSIG   CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=
sukzessiv.6v6.de.       2000    IN      CNAME   upmbey4aer5jjkun.myfritz.net.


It seems that OpenDNSSEC is not sending the changed CNAME TTL back to
BIND when it answers the IXFR request.

As a workaround I can specify

server <opendnssec> {
        provide-ixfr no;
        request-ixfr no;
};

in the BIND config. It would be nice if there would be a switch to
disable IXFR in opendnssec as well.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

More information about the Opendnssec-user mailing list