dnssec-signzone: error when NSEC3PARAM record exists
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| BIND |
New
|
Undecided
|
Unassigned | ||
| bind9 (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
On 18.04 with bind9/bionic-
This prevents Certbot Let's Encrypt validation and therefore certificate issuance when the zone is configured to use NSEC3.
NSEC3 is valuable in preventing DNSSEC NSEC zone walking to discover all RR records in the zone.
Where a zone file has DNSSEC enabled and an NSEC3PARAM record is added to the already-signed zone file:
example.com. IN NSEC3PARAM ( 1 0 10 16 0d95646237ae38bc )
an attempt to re-sign the zone file fails with:
dnssec-signzone -o example.com example.com.hosts
dnssec-signzone: error: dns_rdata_fromtext: example.
dnssec-signzone: fatal: failed loading zone from 'example.
This seems related to upstream report "Problems signing a zone that already contains an NSEC3PARAM"
| description: | updated |
| Robie Basak (racb) wrote | #1 |
| Changed in bind9 (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in bind9 (Ubuntu): | |
| status: | Triaged → Invalid |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
It looks like the upstream bug has been acknowledged, so I'm marking the Ubuntu task as Triaged. However, it doesn't look like we can do anything in Ubuntu until there is a resolution upstream.
As it appears this is not a regression, I'm marking it as Importance: Medium since I don't think this configuration is common enough to mark it as High.