[Opendnssec-user] Version 1.4.7 IXFR problems
Sebastian Wiesinger
sebastian at karotte.org
Mon Aug 10 12:06:09 UTC 2015
Hello,
I noticed a problem with OpenDNSSEC 1.4.7 and IXFRs.
I have a zone configured in OpenDNSSEC that interacts with a BIND
server. OpenDNSSEC pulls the zone via IXFR and the BIND server
transfers the signed zone back, also via IXFR.
I noticed that when I only change the default TTL of the zone (via
$TTL statement) that the new TTL for the RRs is not transfered from
OpenDNSSEC back to BIND in the signed version of the zone via IXFR but
the RRSIG for the RR has the new TTL.
When I disable IXFRs for opendnssec in BIND the zone is transferred
with the correct TTLs. Also when I do a manual 'rndc retransfer
<zone>' it will fix the TTLs.
I reproduced this with two different zones.
Example Zone:
$TTL 1800
@ IN SOA ns1.karotte.org. hostmaster.6v6.de. (
106 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
3600 ) ; Neg. TTL
86400 NS ns1.karotte.org.
86400 NS dns.noris.net.
86400 NS ns6.gandi.net.
sukzessiv CNAME upmbey4aer5jjkun.myfritz.net.
I now change the $TTL from 1800 to 2000.
When I AXFR the zone directly from OpenDNSSEC I get the right TTL for the
"sukzessiv" RR and the RRSIG:
sukzessiv.6v6.de. 2000 IN CNAME upmbey4aer5jjkun.myfritz.net.
sukzessiv.6v6.de. 2000 IN RRSIG CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=
When I do the same AXFR towards the BIND server that transmitted the
zone from OpenDNSSEC via IXFR I get:
sukzessiv.6v6.de. 2000 IN RRSIG CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=
sukzessiv.6v6.de. 1800 IN CNAME upmbey4aer5jjkun.myfritz.net.
Notice the old TTL of the CNAME.
When I now do a 'rndc retransfer 6v6.de IN default', which forces bind
to retransfer the whole zone, it has the correct TTL again:
sukzessiv.6v6.de. 2000 IN RRSIG CNAME 8 3 2000 20150909065841 20150810105620 57288 6v6.de. G5LxbfqWAZZ+D9FbbnNlId0vqk0Q0T62P5GTp57/ys9fzxOx9vl6mK+0 fQYtbR8JXI9lXFGCfj/9w0BTTivpqVsB7/uv5X8LMf0cMvnLRBvOylq1 4CXdtQRmWPspoRSPCt6jlcfUL46d69N9BqLwylnDQmpjeAMN87L5V5km zmo=
sukzessiv.6v6.de. 2000 IN CNAME upmbey4aer5jjkun.myfritz.net.
It seems that OpenDNSSEC is not sending the changed CNAME TTL back to
BIND when it answers the IXFR request.
As a workaround I can specify
server <opendnssec> {
provide-ixfr no;
request-ixfr no;
};
in the BIND config. It would be nice if there would be a switch to
disable IXFR in opendnssec as well.
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the Opendnssec-user
mailing list