usage of outdated metadata information during AXFR #530

Closed
Habbie opened this Issue Apr 26, 2013 · 5 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

executing the chain of commands below may lead to a [[BR]]
zone transfer with incorrect DNSSEC settings.

ie.:
transfer of an unsecured zone, repeating notify after[[BR]]
a while a nsec'ed zone is transferd, few seconds later[[BR]]
finally the nsec3'ed zone is delivered.[[BR]]

pdnssec secure-zone DOMAIN[[BR]]
pdnssec set-nsec3 DOMAIN[[BR]]
pdnssec rectify-zone DOMAIN[[BR]]
pdns_control notify-host DOMAIN SLAVE-IP[[BR]]

@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie Habbie added a commit that referenced this issue Apr 26, 2013
@Habbie Habbie make sure we clear DNSSEC caches in some relevant places. Fixes #530,…
… patch by Ruben d'Arco

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2694 d19b8d6e-7fed-0310-83ef-9ca221ded41b
627d2ca
@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
the whole workflow to reproduce the issue over here is as follows:

  • zone is available on master and slave with same serial/content,
    without any entries in cryptokeys/metadata for the domain
  • restarting pdns on master and slave to clear caches
  • request a record from the master
  • shortly after the following steps are done on the master:
    • pdnssec secure-zone DOMAIN
    • pdnssec set-nsec3 DOMAIN
    • bump-serial in DB for DOMAIN
    • pdnssec rectify-zone DOMAIN
    • pdns_control notify-host DOMAIN SLAVE-IP

the result on the slave is as follows:

  • records are received with nsec3-ordername
  • nsec3-params are entered into domainmetadata
  • no RRSIGS for records are transfered to the slave
  • serial is sync with master after transfer

similar behaviour can be found using the disable-dnssec process.
not tested yet -> behaviour on key-rollovers

question in context: does it makes sense to use different cache-timeouts for metadata and keys?

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Please try this patch and see if it improves the behaviour?
https://github.com/Habbie/powerdns/pull/44.diff

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
fixes the behaviour on zone transfers.

still on direct requests to a host metadata/key cache is used.
ie:

at client: dig +dnssec www.test.com @dns [[BR]]
at dns: secure zone, nsec3 zone, rectify zone [[BR]]
at client: dig +dnssec www.test.com @dns -> no rrsig [[BR]]

equivalent behaviour when going insecure. [[BR]]

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
Unfortunately pdnssec does not have any control over powerdns's cache.

The earlier associated diff has been updated to make the pdns_control purge command clean the dnssec cache as well. This means that you know have a little control over the cache. The advice here is to run pdns_control purge after all the pdnssec operations have been performed.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
patch applied in r2694, closing ticket

@mind04 mind04 pushed a commit to mind04/pdns that referenced this issue Apr 26, 2013
peter make sure we clear DNSSEC caches in some relevant places. Fixes #530,…
… patch by Ruben d'Arco

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2694 d19b8d6e-7fed-0310-83ef-9ca221ded41b
c530877
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment