Dnssec remove keys from zone

binddnssecrndc

is there a way to remove all dnssec related stuff from a zone on a running bind server?

I configured bind like like here described.

If i use rndc signing -clear all domain.tld nothng happens to the zone.

If i delete the dnssec signed zone via rndc delzone domain.tld
and recreate it via rndc addzone domain.tld ... , the domain.tld.jnl file with the related dnssec data will be automaticly recreated and the zone is dnssec signed again.

How can i remove all dnssec related data from a zone with rndc ?

Best Answer

(i use the inline-signing option to auto sign the zones in another file called {Zonename}.signed)

To remove all DNSSEC related Data of the Zone u have to remove the {ZoneName}.signed and {ZoneName}.jnl file of the Zone.

Remove also all the Key Files of the Zone (which should be in the keys - Directory) - otherwhise bind9 will autoresign the Zone.

After all the deletion it would be the clear way to rndc delzone {ZoneName} and reinititate the unsigned Zone with rndc addzone {Options without DNSSEC}

Related Solutions

DNSSEC auto signing and file handling

EDIT: The previous version of this Answer was backwards-wrong.

If I enable auto-signing, will the zones files change?

Yes. BIND will update the file you specify in the configuration "dynamic" style. This means the whole file generally gets rewritten, losing any "$INCLUDE" directives, converting to "standard" formatting, etc.

With manually signing files, the original zone files do not change. You can not use Dynamic Updates with manually signed files, so there's a trade-off. Generally you either maintain the original zone file by hand and use manual signing, or you use nsupdate to maintain the original file and let BIND auto-sign the zone. Side note: last I looked BIND couldn't auto-gen ZSK keys, so you still have to manually rotate those (or script the process).

How to update a zone with auto-dnssec: maintain

I think I finally found the root cause of my problem. I have two views, that were configured to include the same master zone file twice.

You cannot use the same file for two zones. So this is invalid and caused my problem:

view "internal" {
    match-clients ...;
    zone "example.com" {
        type master;
        file "/etc/bind/zones/example.net";
    };
};
view "external" {
    match-clients ...;
    zone "example.com" {
        type master;
        file "/etc/bind/zones/example.net";
    };
};

The proper way to share a zone is described in chapter 4 of the " Understanding views in BIND 9, by example" guide. Basically, only one of the zone must be the master zone, and the other one must be a slave. After adding a few acls, keys and also-notify for localhost in the right places, I got rid of those errors.

In the end this is my final configuration:

key "internal" {
    // TSIG Key generated with dnssec-keygen -a HMAC-MD5 -b 512 -n USER internal
    algorithm hmac-md5;
    secret "XXXX";
};

view "internal" {
    match-clients { key internal; ...IPs...; }; // our network
    zone "robin.info" {
        type slave;
        file "/etc/bind/slave-zones/robin.info"; // Not the same file as external view!
        masters { 127.0.0.1; };
    };
};

view "external" {
    match-clients { !key internal; "any"; }; // everyone else
    server 127.0.0.1 {
        /* Deliver notify messages to internal view with internal key. */
        keys { internal; };
    };
    zone "robin.info" {
        type master;
        file "/etc/bind/zones/robin.info";
        // ACL file with allow-transfer and also-notify
        // including secondary DNS servers and 127.0.0.1
        include "/etc/bind/acls"; 
        key-directory "/etc/bind/dnssec/robin.info/2017";
        inline-signing yes;
        auto-dnssec maintain;
    };
};

Best Answer

Related Solutions

DNSSEC auto signing and file handling

How to update a zone with auto-dnssec: maintain

Related Topic