Ticket #530 (closed defect: fixed)

Opened 10 months ago

Last modified 9 months ago

usage of outdated metadata information during AXFR

Reported by: anon Owned by: ahu
Priority: normal Milestone:
Component: auth Version: 3.1
Severity: normal Keywords:
Cc:

Description

executing the chain of commands below may lead to a
zone transfer with incorrect DNSSEC settings.

ie.: transfer of an unsecured zone, repeating notify after
a while a nsec'ed zone is transferd, few seconds later
finally the nsec3'ed zone is delivered.

pdnssec secure-zone DOMAIN
pdnssec set-nsec3 DOMAIN
pdnssec rectify-zone DOMAIN
pdns_control notify-host DOMAIN SLAVE-IP

Change History

Changed 10 months ago by anon

the whole workflow to reproduce the issue over here is as follows:

- zone is available on master and slave with same serial/content,

without any entries in cryptokeys/metadata for the domain

- restarting pdns on master and slave to clear caches - request a record from the master - shortly after the following steps are done on the master:

  • pdnssec secure-zone DOMAIN
  • pdnssec set-nsec3 DOMAIN
  • bump-serial in DB for DOMAIN
  • pdnssec rectify-zone DOMAIN
  • pdns_control notify-host DOMAIN SLAVE-IP

the result on the slave is as follows:

  • records are received with nsec3-ordername
  • nsec3-params are entered into domainmetadata
  • no RRSIGS for records are transfered to the slave
  • serial is sync with master after transfer

similar behaviour can be found using the disable-dnssec process. not tested yet -> behaviour on key-rollovers

question in context: does it makes sense to use different cache-timeouts for metadata and keys?

Changed 10 months ago by anon

Please try this patch and see if it improves the behaviour?  https://github.com/Habbie/powerdns/pull/44.diff

Changed 10 months ago by anon

fixes the behaviour on zone transfers.

still on direct requests to a host metadata/key cache is used. ie:

at client: dig +dnssec www.test.com @dns
at dns: secure zone, nsec3 zone, rectify zone
at client: dig +dnssec www.test.com @dns -> no rrsig

equivalent behaviour when going insecure.

Changed 10 months ago by anon

Unfortunately pdnssec does not have any control over powerdns's cache.

The earlier associated diff has been updated to make the pdns_control purge command clean the dnssec cache as well. This means that you know have a little control over the cache. The advice here is to run pdns_control purge <domain> after all the pdnssec operations have been performed.

Changed 9 months ago by peter

  • status changed from new to closed
  • resolution set to fixed

patch applied in r2694, closing ticket

Note: See TracTickets for help on using tickets.