.. title: Dynamic DNS with Bind Stopped Working
.. slug: 05
.. date: 2025-03-05 19:00
.. tags: documentation,english,open source,howto
.. description:
.. wp-status: publish

.. |--|  unicode:: U+2013  .. en dash

In 2021 I set up a dynamic DNS server using the popular `ISC bind`_ DNS
server and documented my configuration in a blog article [1]_.

Recently (around the second half of the year 2024) the DNS updates
stopped working. In my configurations I was using the public key method
for signing DNS updates also known as SIG(0). This was long supported in
bind and is `still documented to work`_ |--| *in the latest version*.

All DNS update requests were suddenly denied with a ``REFUSED`` status.
Even turning on debugging with the ``-d 15`` option to ``named`` I was
not able to get any further information, not even when logging to
standard output with ``-g``.

It turns out that the public key signatures using SIG(0) have been
disabled due to a denial of service attack vector documented in
`CVE-2024-1975`_. DNS updates with shared `TSIG keys`_ still work.
Unfortunately this seemed not documented and no appropriate log messages are
seen. I've made a `bug report`_ for bind.

As it turns out I would have to look at the documentation for the
version 9.18 shipped with Debian stable aka bookworm at the time of
this writing: It documents that `SIG(0) has been removed`_ due to
`CVE-2024-1975`_.

It looks like *later* versions of bind (e.g. version 9.20.6 and up)
again support SIG(0) but with a quota mechanism to prevent a
denial of service attack. But for prior versions it seems that the "fix"
involves completely disabling SIG(0).

.. [1] Ralf Schlatterbeck. `Dynamic DNS with the bind DNS server`_.
       Blog post, Open Source Consulting, Jan 2021.

.. _`ISC bind`: https://www.isc.org/bind/
.. _`Dynamic DNS with the bind DNS server`:
     https://blog.runtux.com/posts/2021/01/08/
.. _`CVE-2024-1975`: https://security-tracker.debian.org/tracker/CVE-2024-1975
.. _`TSIG keys`:
     https://bind9.readthedocs.io/en/bind-9.18/chapter7.html#tsig
.. _`bug report`: https://gitlab.isc.org/isc-projects/bind9/-/issues/5221
.. _`SIG(0) has been removed`:
     https://bind9.readthedocs.io/en/bind-9.18/chapter7.html#sig-0
.. _`still documented to work`:
     https://bind9.readthedocs.io/en/latest/chapter7.html#sig-0