[Opendnssec-user] Issues with INCLUDE statements

Sebastian Castro sebastian at nzrs.net.nz
Mon Nov 22 03:53:31 UTC 2010 

Hi:

As an experiment with empty non-terminals I had the org.nz zone contents
as part of the .nz zone, not as a delegation.

To do that, I used the $INCLUDE directive in the nz zone file. Something
like:

$INCLUDE "/var/opendnssec/unsigned/org.nz.zone"


At some point we dropped the INCLUDE line and put the
delegation back, increased the serial number, executed

"ods-signer sign nz"

and the result is a signed nz zone with the org.nz as a delegation AND
the org.nz contents included in it. To illustrate the point, the zone
looks something like this:

org.nz IN NS  <list_of_NS>
org.nz IN DS  <list_of_DS>
org.nz. IN      RRSIG   DS ....
org.nz. IN      NSEC    parliament.nz. NS DS RRSIG NSEC
org.nz. IN      RRSIG   NSEC .......
0.org.nz.  IN   NSEC    08000mumdad.org.nz. NS RRSIG NSEC

.... all org.nz contents here ...

zygem.org.nz.   IN      NSEC    parliament.nz. NS RRSIG NSEC
zygem.org.nz.   IN      RRSIG   NSEC ....
parliament.nz.  IN      NS      <list_of_NS>


It seems there are two issues: more data than expected and wrong NSEC
chains.

To confirm the issue we created a zone file for example.com, singing it
 with the default policy.

The original zone looks like this:

$TTL    86400
$ORIGIN example.com.
@  1D  IN    SOA ns1.example.com.   hostmaster.example.com. (
                  2002022401 ; serial
                  3H ; refresh
                  15 ; retry
                  1w ; expire
                  3h ; minimum
                 )
       IN  NS     ns1.example.com. ; in the domain
       IN  NS     ns2.smokeyjoe.com. ; external to domain
       IN  MX  10 mail.another.com. ; external mail provider
; server host definitions
ns1    IN  A      192.168.0.1  ;name server definition
www    IN  A      192.168.0.2  ;web server definition
ftp    IN  CNAME  www.example.com.  ;ftp server definition
; non server domain hosts
bill   IN  A      192.168.0.3
fred   IN  A      192.168.0.4

and the resulting signing zone is attached as
'example.com.2002022401.signed'

Then we add an INCLUDE statement and increase the serial number:

--- example.com.2002022401.unsigned	2010-11-22 15:51:58.000000000 +1300
+++ example.com.2002022402.unsigned	2010-11-22 15:59:33.000000000 +1300
@@ -1,7 +1,7 @@
 $TTL    86400
 $ORIGIN example.com.
 @  1D  IN    SOA ns1.example.com.   hostmaster.example.com. (
-                  2002022401 ; serial
+                  2002022402 ; serial
                   3H ; refresh
                   15 ; retry
                   1w ; expire
@@ -14,6 +14,7 @@
 ns1    IN  A      192.168.0.1  ;name server definition
 www    IN  A      192.168.0.2  ;web server definition
 ftp    IN  CNAME  www.example.com.  ;ftp server definition
+$INCLUDE /var/opendnssec/unsigned/example.com.include
 ; non server domain hosts
 bill   IN  A      192.168.0.3
 fred   IN  A      192.168.0.4

The contents of the 'example.com.include' file are

-------------------------------
; Additional data
ns2  IN A 10.0.0.1
gopher IN A 10.0.0.2
lastmod IN TXT "Mon Nov 22 15:54:14 NZDT 2010"
-------------------------------

The corresponding signed output is attached as
'example.com.2002022402.signed'

The differences between signed zones are
- new SOA and signature... OK
- new records and their signatures.... OK
- recalculated NSEC records.... OK
- and....

-fred.example.com.  86400   IN  A   192.168.0.4
+fred.example.com.  3600    IN  A   192.168.0.4

this record got its TTL changed, but the signature is not changed!


If you have reached this far... excellent!, because it gets more
interesting.

We dropped the INCLUDE statement and increased the serial number:

--- example.com.2002022402.unsigned	2010-11-22 15:59:33.000000000 +1300
+++ example.com.2002022403.unsigned	2010-11-22 16:03:34.000000000 +1300
@@ -1,7 +1,7 @@
 $TTL    86400
 $ORIGIN example.com.
 @  1D  IN    SOA ns1.example.com.   hostmaster.example.com. (
-                  2002022402 ; serial
+                  2002022403 ; serial
                   3H ; refresh
                   15 ; retry
                   1w ; expire
@@ -14,7 +14,6 @@
 ns1    IN  A      192.168.0.1  ;name server definition
 www    IN  A      192.168.0.2  ;web server definition
 ftp    IN  CNAME  www.example.com.  ;ftp server definition
-$INCLUDE /var/opendnssec/unsigned/example.com.include
 ; non server domain hosts
 bill   IN  A      192.168.0.3
 fred   IN  A      192.168.0.4


and the resulting signed file (attached as
'example.com.2002022403.signed') includes:

- updated SOA and its signature.... GOOD
- fred.example.com. get its TTL back to the original value, signature
it's not changed... GOOD?
- ns2, gopher and lastmod records and their corresponding signatures are
dropped, but NSEC records remain.


In summary, we have:
- trailing NSEC records
- changed TTLs for a record, without proper signature update
- phantom contents (although I couldn't replicate the issue)


All the necessary files are attached if you want to replicate the issue.

PS: If you run 'ods-signer clear nz' and then 'ods-signer sign nz' the
trailing dat is eliminated.


Regards,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.include
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022401.signed
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022403.signed
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022402.unsigned
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022402.signed
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022401.unsigned
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0005.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com.2002022403.unsigned
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101122/736195b6/attachment-0006.ksh>

More information about the Opendnssec-user mailing list