On Thu, Apr 04, 2019 at 12:54:37PM -0400, Roy Arends wrote:
Hi Evan, can you elaborate on the looping bug? For example, what combination of configuration statements would cause this, and why was a revoked key special in this case.
It was similar to the environment Wes set up, I found it while trying to reproduce his report. When starting named with either a managed-keys database containing only KSK-2010, or with no managed-keys database and a bind.keys file containing only KSK-2010, named sent a key refresh query for ./DNSKEY, got back a response containing KSK-2010 with the REVOKED bit set, validated it but failed to record the revocation, and immediately retried the query. I believe it was fixed in this commit, around line 8940 in lib/dns/zone.c: https://gitlab.isc.org/isc-projects/bind9/commit/f87d4ca08 Since the revoked key is no longer in the root zone, I'll need to set up a toy root server to confirm that that was indeed the relevant change; I haven't done so yet. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.