ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2022-01-11T14:13:40Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3051Missing destroy(s) for rwlocks, mutexes and conditions2022-01-11T14:13:40ZOndřej SurýMissing destroy(s) for rwlocks, mutexes and conditionsIt was reported to us that there's a runaway memory leak on FreeBSD which was identified as missing dtor for pthread primitives:
1. `sock->cond` in netmgr - the one causing runaway memory use
2. `worker->lock` - one per worker
3. rwlock...It was reported to us that there's a runaway memory leak on FreeBSD which was identified as missing dtor for pthread primitives:
1. `sock->cond` in netmgr - the one causing runaway memory use
2. `worker->lock` - one per worker
3. rwlocks in db.c and dlz.c - initialized once per `named` (fixing would require dtor at library unload, not worth fixing)
4. rwlock in `lib/*/result.c` - initialized once per `named` (fixing would require dtor at library unload, not worth fixing)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3049Expired zone signatures are not replaced with KSK signatures2022-01-12T10:08:42ZMatthijs Mekkingmatthijs@isc.orgExpired zone signatures are not replaced with KSK signaturesWe fixed #763 to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).
The change caused the definition of "having both keys": if one key is offline, we still consider having b...We fixed #763 to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).
The change caused the definition of "having both keys": if one key is offline, we still consider having both keys, so we don't fallback signing with the ZSK if KSK is offline.
That change also works the other way, if the ZSK is offline, we don't fallback signing with the KSK. But in this case the fallback could actually help preventing the zone from going bogus.
Update the fix for #763 to allow fallback of signing zone RRsets with the KSK in case the ZSK is offline.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3035BIND with dnssec-policy stops signing when removing the ZSK key files2022-01-06T08:52:05ZThomas AmgartenBIND with dnssec-policy stops signing when removing the ZSK key files### Summary
When removing the ZSK key files from the key-directory and removing also the journal files (.signed.jnl, .jnl, .jbk), then - under certain circumstandes - BIND does create a new ZSK (after restart) but is no more able to sig...### Summary
When removing the ZSK key files from the key-directory and removing also the journal files (.signed.jnl, .jnl, .jbk), then - under certain circumstandes - BIND does create a new ZSK (after restart) but is no more able to sign the RR (neither DNSKEY-RR with the KSK nor TXT-RR with the ZSK).
### BIND version used
9.16.22, self-compiled
### Steps to reproduce
Perhaps this behavior has something to do with "**timings**" or "**timers**", because I needed to wait about one night (for ex. 8h), before I was able to reproduce the issue this morning again.
With this quick-and-dirty helperscript, I can reproduce this issue (after the mentioned timing) always:
```
#!/bin/bash
KEY_ROOT="/chroot/bind/etc/named/keys"
MASTER_DIR="/var/named/master"
[[ $# -lt 1 ]] && { echo -e "specify a zone"; exit 1; }
ZONE=$1
[[ ! -d ${KEY_ROOT}/${ZONE} ]] && { echo -e "key-dir does not exist"; exit 1; }
cd $KEY_ROOT/${ZONE}/
ZSK=$(grep -l "ZSK: yes" * | sed 's,\(.*\)\.state,\1,'g)
echo -e "ZSK found: $ZSK"
systemctl stop named
rm -f $KEY_ROOT/${ZONE}/$ZSK.*
rm -rf $MASTER_DIR/${ZONE}.hosts.*
systemctl start named
```
### What is the current *bug* behavior?
dnssec-policy is no more signing the zone, even if I run "rndc sign example.ch":
```
# No RRSIG for the DNSKEY-RR
$ dig @127.0.0.1 +short +norec +dnssec dnskey example.ch
256 3 13 yzEu6qim1W01nMHAPGhB8nXM2Qb+PTJH0c5+muyy1QjVy4+dldge0Tw6 H0rckR/sNyQOAPzpsChOqqHZhSF32w==
257 3 13 f2m47DhSRftPS7dbCw8u/C2Gnek3XJyf+FpD1gJg1dl2ZXpVVtx7RsJS ML1bq3WHrWz2IRQvW/0rsvB1f3z2WQ==
# Also no RRSIG for the TXT-Record
$ dig @127.0.0.1 +short +norec +dnssec txt example.ch
"v=spf1 -all"
```
#### rndc dnssec -status example.ch
```
$ rndc dnssec -status example.ch
dnssec-policy: thewaytogo-faster
current time: Tue Nov 30 10:09:13 2021
key: 54591 (ECDSAP256SHA256), ZSK
published: yes - since Tue Nov 30 09:59:00 2021
zone signing: no
Next rollover scheduled on Tue Dec 7 07:54:00 2021
- goal: omnipresent
- dnskey: rumoured
- zone rrsig: hidden
key: 56340 (ECDSAP256SHA256), KSK
published: yes - since Mon Nov 29 20:54:22 2021
key signing: yes - since Mon Nov 29 20:54:22 2021
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- key rrsig: omnipresent
```
#### reloading
Reloading the zone shows (in debug-level 3) the following messages:
```
30-Nov-2021 10:05:26.927 general: info: received control channel command 'reload example.ch'
30-Nov-2021 10:05:26.927 zoneload: debug 1: zone example.ch/IN (unsigned): skipping load: master file older than last load
```
#### restarting
##### The key-files are existing (before and after restart)
```
$ ls -lahF
total 340K
drwxr-xr-x. 2 named named 4.0K 30. Nov 09:59 ./
drwxr-xr-x. 7 named named 308K 29. Nov 16:31 ../
-rw-r--r--. 1 named named 443 30. Nov 10:10 Kexample.ch.+013+54591.key
-rw-------. 1 named named 235 30. Nov 10:10 Kexample.ch.+013+54591.private
-rw-r--r--. 1 named named 541 30. Nov 10:10 Kexample.ch.+013+54591.state
-rw-r--r--. 1 named named 388 30. Nov 10:10 Kexample.ch.+013+56340.key
-rw-------. 1 named named 241 30. Nov 10:10 Kexample.ch.+013+56340.private
-rw-r--r--. 1 named named 675 30. Nov 10:10 Kexample.ch.+013+56340.state
```
```
# ZSK
$ cat Kexample.ch.+013+54591.key Kexample.ch.+013+54591.state
; This is a zone-signing key, keyid 54591, for example.ch.
; Created: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Publish: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Activate: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Inactive: 20211207085900 (Tue Dec 7 09:59:00 2021)
; Delete: 20211217100400 (Fri Dec 17 11:04:00 2021)
example.ch. 3600 IN DNSKEY 256 3 13 yzEu6qim1W01nMHAPGhB8nXM2Qb+PTJH0c5+muyy1QjVy4+dldge0Tw6 H0rckR/sNyQOAPzpsChOqqHZhSF32w==
; This is the state of key 54591, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 604800
KSK: no
ZSK: yes
Generated: 20211130085900 (Tue Nov 30 09:59:00 2021)
Published: 20211130085900 (Tue Nov 30 09:59:00 2021)
Active: 20211130085900 (Tue Nov 30 09:59:00 2021)
Retired: 20211207085900 (Tue Dec 7 09:59:00 2021)
Removed: 20211217100400 (Fri Dec 17 11:04:00 2021)
DNSKEYChange: 20211130085900 (Tue Nov 30 09:59:00 2021)
ZRRSIGChange: 20211130085900 (Tue Nov 30 09:59:00 2021)
DNSKEYState: rumoured
ZRRSIGState: hidden
GoalState: omnipresent
# KSK
$ cat Kexample.ch.+013+56340.key Kexample.ch.+013+56340.state
; This is a key-signing key, keyid 56340, for example.ch.
; Created: 20211129195422 (Mon Nov 29 20:54:22 2021)
; Publish: 20211129195422 (Mon Nov 29 20:54:22 2021)
; Activate: 20211129195422 (Mon Nov 29 20:54:22 2021)
; SyncPublish: 20211129195422 (Mon Nov 29 20:54:22 2021)
example.ch. IN DNSKEY 257 3 13 f2m47DhSRftPS7dbCw8u/C2Gnek3XJyf+FpD1gJg1dl2ZXpVVtx7RsJS ML1bq3WHrWz2IRQvW/0rsvB1f3z2WQ==
; This is the state of key 56340, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: no
Generated: 20211129195422 (Mon Nov 29 20:54:22 2021)
Published: 20211129195422 (Mon Nov 29 20:54:22 2021)
Active: 20211129195422 (Mon Nov 29 20:54:22 2021)
DSPublish: 20211129195759 (Mon Nov 29 20:57:59 2021)
DSRemoved: 20211129195739 (Mon Nov 29 20:57:39 2021)
PublishCDS: 20211129195422 (Mon Nov 29 20:54:22 2021)
DNSKEYChange: 20211129205955 (Mon Nov 29 21:59:55 2021)
KRRSIGChange: 20211129205955 (Mon Nov 29 21:59:55 2021)
DSChange: 20211129225759 (Mon Nov 29 23:57:59 2021)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: omnipresent
```
##### Doing the restart shows the following output:
```
30-Nov-2021 10:07:04.657 general: debug 1: zone_dump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.657 general: debug 1: zone_gotwritehandle: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.659 general: debug 3: zone_shutdown: zone example.ch/IN (signed): shutting down
30-Nov-2021 10:07:04.664 general: debug 3: zone_shutdown: zone example.ch/IN (unsigned): shutting down
30-Nov-2021 10:07:04.664 database: debug 1: calling free_rbtdb(example.ch)
30-Nov-2021 10:07:04.664 database: debug 1: done free_rbtdb(example.ch)
30-Nov-2021 10:07:04.665 general: debug 1: dump_done: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.665 general: debug 1: zone_journal_compact: zone example.ch/IN (signed): target journal size 2358
30-Nov-2021 10:07:04.665 general: debug 3: zone example.ch/IN (signed): dns_journal_compact: success
30-Nov-2021 10:07:04.669 database: debug 1: calling free_rbtdb(example.ch)
30-Nov-2021 10:07:04.669 database: debug 1: done free_rbtdb(example.ch)
30-Nov-2021 10:07:04.743 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.743 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.745 zoneload: debug 1: zone example.ch/IN (unsigned): starting load
30-Nov-2021 10:07:04.745 general: debug 1: zone_startload: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 zoneload: debug 2: zone example.ch/IN (unsigned): number of nodes in database: 1
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (unsigned): journal empty
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (unsigned): loaded; checking validity
30-Nov-2021 10:07:04.746 general: debug 1: dns_zone_verifydb: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 zoneload: info: zone example.ch/IN (unsigned): loaded serial 2021113001
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): starting load
30-Nov-2021 10:07:04.746 general: debug 1: zone_startload: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 zoneload: debug 2: zone example.ch/IN (signed): number of nodes in database: 1
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): journal rollforward completed successfully: up to date
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): loaded; checking validity
30-Nov-2021 10:07:04.746 general: debug 1: dns_zone_verifydb: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 zoneload: info: zone example.ch/IN (signed): loaded serial 2021113003
30-Nov-2021 10:07:04.758 general: debug 1: dns_zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.758 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.758 general: debug 1: dns_zone_maintenance: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.758 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.761 general: debug 1: setnsec3param: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.761 general: debug 1: rss_post: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.761 general: debug 1: receive_secure_serial: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.764 general: error: zone example.ch/IN (signed): found no active private keys, unable to generate any signatures
30-Nov-2021 10:07:04.764 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_timer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_maintenance: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.771 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.771 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.771 notify: info: zone example.ch/IN (signed): sending notifies (serial 2021113004)
30-Nov-2021 10:07:04.771 dnssec: info: zone example.ch/IN (signed): reconfiguring zone keys
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) matches policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) is active in policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) (policy thewaytogo-faster) in 2656704072 seconds
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) matches policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) is active in policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) (policy thewaytogo-faster) in 596816 seconds
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY in state RUMOURED
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT?
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: dnssec evaluation of ZSK example.ch/ECDSAP256SHA256/54591 record DNSKEY: rule1=(~true or true) rule2=(~true or true) rule3=(~false or false)
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: time says no to ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 7016 seconds)
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG in state HIDDEN
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED?
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: policy says no to ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in stable state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in stable state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DS in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DS in stable state OMNIPRESENT
30-Nov-2021 10:07:04.780 general: info: CDS for key example.ch/ECDSAP256SHA256/56340 is now published
30-Nov-2021 10:07:04.780 general: info: CDNSKEY for key example.ch/ECDSAP256SHA256/56340 is now published
30-Nov-2021 10:07:04.782 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.785 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): next key event in 7016 seconds
30-Nov-2021 10:07:04.785 dnssec: info: zone example.ch/IN (signed): next key event: 30-Nov-2021 12:04:00.771
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 54591/ECDSAP256SHA256
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 56340/ECDSAP256SHA256
30-Nov-2021 10:07:04.785 general: debug 1: zone_sign: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.787 dnssec: debug 3: zone example.ch/IN (signed): zone_sign:use kasp -> yes
30-Nov-2021 10:07:04.787 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 notify: info: zone example.ch/IN (signed): sending notifies (serial 2021113005)
30-Nov-2021 10:07:09.771 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
```
#### rndc sign example.ch
```
30-Nov-2021 10:10:56.477 general: info: received control channel command 'sign example.ch'
30-Nov-2021 10:10:56.478 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 dnssec: info: zone example.ch/IN (signed): reconfiguring zone keys
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) matches policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) is active in policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) (policy thewaytogo-faster) in 2656703840 seconds
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) matches policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) is active in policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) (policy thewaytogo-faster) in 596584 seconds
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY in state RUMOURED
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT?
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnssec evaluation of ZSK example.ch/ECDSAP256SHA256/54591 record DNSKEY: rule1=(~true or true) rule2=(~true or true) rule3=(~false or false)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: time says no to ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 6784 seconds)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG in state HIDDEN
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED?
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: policy says no to ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in state OMNIPRESENT
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in stable state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in stable state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DS in state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DS in stable state OMNIPRESENT
30-Nov-2021 10:10:56.487 general: warning: zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340 missing or inactive and has no replacement: retaining signatures.
30-Nov-2021 10:10:56.487 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 dnssec: debug 3: zone example.ch/IN (signed): next key event in 6784 seconds
30-Nov-2021 10:10:56.490 dnssec: info: zone example.ch/IN (signed): next key event: 30-Nov-2021 12:04:00.478
30-Nov-2021 10:10:56.491 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 54591/ECDSAP256SHA256
30-Nov-2021 10:10:56.491 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 56340/ECDSAP256SHA256
30-Nov-2021 10:10:56.491 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_sign: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.493 dnssec: debug 3: zone example.ch/IN (signed): zone_sign:use kasp -> yes
30-Nov-2021 10:10:56.493 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
```
### What is the expected *correct* behavior?
Signed zone
### Relevant configuration files
```
# zone configuration
zone "example.ch" {
type master;
file "master/example.ch.hosts";
dnssec-policy thewaytogo-faster;
parental-agents { "ch"; };
key-directory "/etc/named/keys/example.ch";
};
```
```
# dnssec-policy
dnssec-policy "thewaytogo-faster" {
// Signatures
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Keys
dnskey-ttl 3600s;
publish-safety 1h;
retire-safety 1h;
purge-keys 30d;
keys {
ksk lifetime unlimited algorithm ecdsap256sha256;
zsk lifetime 7d algorithm ecdsap256sha256;
};
// Zone properties
zone-propagation-delay 300s;
max-zone-ttl 86400s;
// Parent properties
parent-propagation-delay 1h;
parent-ds-ttl 3600;
};
```January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3027Move setting of @SO@ to copy_setports2022-03-01T09:43:31ZMark AndrewsMove setting of @SO@ to copy_setportsSetting @SO@ in conf files is currently done by configure. copy_setports should be capable of doing this.Setting @SO@ in conf files is currently done by configure. copy_setports should be capable of doing this.Not plannedhttps://gitlab.isc.org/isc-projects/stork/-/issues/619Connect to agent over IPv6 link-local address2021-11-30T14:28:16ZSlawek FigielConnect to agent over IPv6 link-local addressThe connection between Stork Agent and Stork Server doesn't work when the Agent uses a link-local IPv6 address.
The Stork Server rejects this address during validation. But even if the validation will change there is one more problem.
...The connection between Stork Agent and Stork Server doesn't work when the Agent uses a link-local IPv6 address.
The Stork Server rejects this address during validation. But even if the validation will change there is one more problem.
The apps in the Stork Server use schema `APPNAME@AGENTADDRESS%NUM`. The NUM is sequential and optional.
The zone ID in the link-local address (e.g. `fe80::%eth0`) is recognized as an app number. Additionally, the validator denies multiple app numbers in the name.
The validation is implemented partially as the database triggers.backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3025Document how rate limiting uses DNS cookies.2022-01-12T10:13:31ZBjörn PerssonDocument how rate limiting uses DNS cookies.The reference manual gives the impression that rate limiting ignores DNS cookies. My experiments show that clients that support DNS cookies are sent server cookies instead of truncated responses, and clients that present a valid server c...The reference manual gives the impression that rate limiting ignores DNS cookies. My experiments show that clients that support DNS cookies are sent server cookies instead of truncated responses, and clients that present a valid server cookie are exempted from rate limiting. This is great, but it should be documented.
Here's a patch to document the behaviour as I understand it from my observations. It might be good if someone who knows the code would fact-check this.
[0001-Document-how-rate-limiting-uses-DNS-cookies.patch](/uploads/23a25512fa614d38bde831378f9bbc02/0001-Document-how-rate-limiting-uses-DNS-cookies.patch)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/issues/3023auto-dnssec documented under options, only accepted under zone2022-01-05T11:26:18ZJohn W. O'Brienauto-dnssec documented under options, only accepted under zone<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
`auto-dnssec` is documented under the grammar for the `options` statement, but can only be specified inside a `zone` statement.
### BIND version used
```
BIND 9.16.22 (Extended Support Version) <id:59bfaba>
running on FreeBSD amd64 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--with-gssapi=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/local/lib -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 -L/usr/local/lib' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20912
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
Set `auto-dnssec` under `options` and start or reload `named`.
### What is the current *bug* behavior?
The configuration is rejected as invalid.
### What is the expected *correct* behavior?
If the documentation is correct, this option should define the default setting for all subsequent zone definitions, just like `allow-transfer` and friends.
If the documentation is incorrect, specification of `auto-dnssec` should appear under "`zone` Statement Definition and Usage".
### Relevant configuration files
`named.conf`:
```
options {
auto-dnssec maintain; # or "allow"
};
```
### Relevant logs and/or screenshots
```
% sudo service named start
/usr/local/etc/namedb/named.conf:2: auto-dnssec may only be activated at the zone level
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
```
### Possible fixes
* [Config validation check](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_22/lib/bind9/check.c#L1304-1319)
* [`auto-dnssec` in ARM](https://gitlab.isc.org/isc-projects/bind9/-/blob/v9_16_22/doc/arm/reference.rst#L2023-2044)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3021dns_sdlz_putrr does not auto increase buffer2021-11-25T20:48:33ZRainer W.dns_sdlz_putrr does not auto increase buffer### Summary
dns_sdlz_putrr does not auto increase buffer
### BIND version used
9.16, but the in the current master the bug exists.
### Steps to reproduce
add dlz ldap support and create long dlzDomain
### What is the current *bug*...### Summary
dns_sdlz_putrr does not auto increase buffer
### BIND version used
9.16, but the in the current master the bug exists.
### Steps to reproduce
add dlz ldap support and create long dlzDomain
### What is the current *bug* behavior?
when "dns_rdata_fromtext: buffer-0x7f17cc6ea940:1: near '604800': ran out of space" is "detected" and buffer < 64k, dns_sdlz_putrr imediatly exits with DNS_R_SERVFAIL.
### What is the expected *correct* behavior?
loop in dns_sdlz_putrr to increase the buffer so parsing can happen.
### Relevant configuration files
-
### Relevant logs and/or screenshots
-
### Possible fixes
commenting out `result = DNS_R_SERVFAIL;` in https://gitlab.isc.org/isc-projects/bind9/-/blob/main/lib/dns/sdlz.c#L1855 fixes the issue.
As far as i understand the code in dns_sdlz_putrr it does run a while loop until the buffer had been increased enough so the input could be sucessfully parsed ( or 64k buffer size is reached).
But the line mentioned above does overwrite the result hard to DNS_R_SERVFAIL. Yes, only when `result != ISC_R_SUCCESS` but for my understanding a result ISC_R_NOSPACE will always be != ISC_R_SUCCESS, so the loop will never happen / is basically dead code.
Which in my case does break lookup, but removing the 1855 line enables the original buffer increment logic and a patched instance does loop a second time with an increased buffer and therefor can parse the dlz ldap input correctly and resolve sucessfully.
I'm not sure if just removing line 1855 is the correct solution. I would say 1866 does already handle the jump to failure: in case the result is != success.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3015QNAME minimization test fails as non-minimized request is served from cache2022-03-01T09:38:59ZWil KnollQNAME minimization test fails as non-minimized request is served from cache### Summary
When using default configuration for BIND the QNAME minimization test hosted at internet.nl would fail randomly after four or more iterations. It appears that the fourth request in a row is served the proper minimized reques...### Summary
When using default configuration for BIND the QNAME minimization test hosted at internet.nl would fail randomly after four or more iterations. It appears that the fourth request in a row is served the proper minimized request cached previously, but triggers a fetch at the same time which is not minimized. The response to that request is then served to the following fifth request and beyond.
```
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491 (qnamemintest.internet.nl): query: qnamemintest.internet.nl IN TXT + (127.0.0.1)
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491 (qnamemintest.internet.nl): query (cache) 'qnamemintest.internet.nl/TXT/IN' approved
17-Nov-2021 06:17:13.568 fetch: a.b.qnamemin-test.internet.nl/TXT
17-Nov-2021 06:17:13.568 log_ns_ttl: fctx 0x7fef80044e60: fctx_create: a.b.qnamemin-test.internet.nl (in 'internet.nl'?): 1 3587
17-Nov-2021 06:17:13.568 QNAME minimization - not minimized, qmintype 16 qminname a.b.qnamemin-test.internet.nl
```
### BIND version used
BIND 9.16.22-Ubuntu (Extended Support Version) <id:59bfaba>
### Steps to reproduce
We ran the following bash commands and this behaviour would occur sometimes after four of five iterations, other times after a dozen or more. We echo'ed the `date` command into the log as well to line up events.
```
for i in {1..30};
do date +"%T.%6N";
echo "Test Number " $i;
echo "========== Before test" $i >> /var/log/named/default.log;
kdig +nodnssec +short @127.0.0.1 qnamemintest.internet.nl TXT;
date +"%T.%6N";
echo "======== done test" $i >> /var/log/named/default.log;
echo "Test Number " $i "done, sleeping.";
sleep 3;
done
```
### What is the current *bug* behavior?
Here the test fails on the fifth iteration
```
06:16:57.072993
Test Number 1
;; WARNING: response timeout for 127.0.0.1@53(UDP)
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
06:17:04.540956
Test Number 1 done, sleeping.
06:17:07.545660
Test Number 2
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
06:17:07.551628
Test Number 2 done, sleeping.
06:17:10.556281
Test Number 3
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
06:17:10.562749
Test Number 3 done, sleeping.
06:17:13.567638
Test Number 4
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
06:17:13.574423
Test Number 4 done, sleeping.
06:17:16.578864
Test Number 5
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("
06:17:16.584539
Test Number 5 done, sleeping.
06:17:19.588370
Test Number 6
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("
06:17:19.594741
Test Number 6 done, sleeping.
```
Part of the internet.nl test is to serve a different TXT record based on the delegation path for their records. If you do not follow QNAME minimization to spec, you will miss a delegation and be served a different record than if you had walked the whole way down from the top. In this case, we are served the failure message.
In the debug below, we see that the fourth test is served from cache while a new fetch of the TXT is started and not minimized. That response arrives after the fourth request has been served and before the fifth. The fifth is then sent the non-minimized response.
```
========== Before test 4
17-Nov-2021 06:17:13.568 clientmgr @0x7fef8ee53190 attach: 4
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 (no-peer): allocate new client
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491: UDP request
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491: using view '_default'
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491: request is not signed
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491: recursion available
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491 (qnamemintest.internet.nl): query: qnamemintest.internet.nl IN TXT + (127.0.0.1)
17-Nov-2021 06:17:13.568 client @0x7fef808ae838 127.0.0.1#35491 (qnamemintest.internet.nl): query (cache) 'qnamemintest.internet.nl/TXT/IN' approved
17-Nov-2021 06:17:13.568 fetch: a.b.qnamemin-test.internet.nl/TXT
17-Nov-2021 06:17:13.568 log_ns_ttl: fctx 0x7fef80044e60: fctx_create: a.b.qnamemin-test.internet.nl (in 'internet.nl'?): 1 3587
17-Nov-2021 06:17:13.568 QNAME minimization - not minimized, qmintype 16 qminname a.b.qnamemin-test.internet.nl
17-Nov-2021 06:17:13.568 expiring v4 for name 0x7fef8432c600
17-Nov-2021 06:17:13.568 expire_v4 set to MIN(2147483647,1637129843) import_rdataset
17-Nov-2021 06:17:13.568 dns_adb_createfind: found A for name ns1.sidnlabs.nl (0x7fef8432c600) in db
17-Nov-2021 06:17:13.568 fctx 0x7fef80044e60(a.b.qnamemin-test.internet.nl/TXT): createfind for 127.0.0.1#35491/54667 - success
17-Nov-2021 06:17:13.568 expiring v4 for name 0x7fef8432c4d0
17-Nov-2021 06:17:13.568 expire_v4 set to MIN(2147483647,1637129843) import_rdataset
17-Nov-2021 06:17:13.568 dns_adb_createfind: found A for name ns3.sidn.nl (0x7fef8432c4d0) in db
17-Nov-2021 06:17:13.568 fctx 0x7fef80044e60(a.b.qnamemin-test.internet.nl/TXT): createfind for 127.0.0.1#35491/54667 - success
17-Nov-2021 06:17:13.568 socket 0x7fef8419c178: socket_recv: event 0x7fef8419f160 -> task 0x7fef84914550
17-Nov-2021 06:17:13.568 sending packet to 94.198.159.8#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15820
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 6e57d9bce860fbf50100000061949e5c594abc51bbb6293a
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl. IN TXT
======== done test 4
17-Nov-2021 06:17:13.844 socket 0x7fef8419c178: socket_recv: event 0x7fef8419f010 -> task 0x7fef84914550
17-Nov-2021 06:17:13.844 received packet from 94.198.159.8#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15820
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 6e57d9bce860fbf50100000061949e69a15a47ca6fecf4ce
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl. IN TXT
;; AUTHORITY SECTION:
;qnamemin-test.internet.nl. 10 IN NS ns.qnamemin-test.internet.nl.
;37EVSMIUKP9K7OAANU0THSBL3AFJAJJI.internet.nl. 300 IN NSEC3 1 0 0 - (
; 3UK0OFP95GPMB6AJ2O611UGNO7EJ4O6U
; NS )
;37EVSMIUKP9K7OAANU0THSBL3AFJAJJI.internet.nl. 300 IN RRSIG NSEC3 13 3 300 (
; 20211212072148 20211112065813 16313 internet.nl.
; E/vfuxroRZjeupIxjp+s3aQpKPb0
; fYR3UjTMs3yoHhF66kz/wvPyuwvY
; 9vlHJ1UmifUBfmyAtZj560mQ0loV
; MQ== )
;; ADDITIONAL SECTION:
;ns.qnamemin-test.internet.nl. 10 IN A 185.49.140.61
;ns.qnamemin-test.internet.nl. 10 IN AAAA 2a04:b900::8:0:0:61
17-Nov-2021 06:17:13.844 log_ns_ttl: fctx 0x7fef80044e60: rctx_answer_none: a.b.qnamemin-test.internet.nl (in 'internet.nl'?): 1 3587
17-Nov-2021 06:17:13.844 QNAME minimization - not minimized, qmintype 16 qminname a.b.qnamemin-test.internet.nl
17-Nov-2021 06:17:13.844 log_ns_ttl: fctx 0x7fef80044e60: DELEGATION: a.b.qnamemin-test.internet.nl (in 'qnamemin-test.internet.nl'?): 0 3587
17-Nov-2021 06:17:13.844 dns_adb_destroyfind on find 0x7fef84329d10
17-Nov-2021 06:17:13.844 dns_adb_destroyfind on find 0x7fef84327e10
17-Nov-2021 06:17:13.844 expiring v4 for name 0x7fef8432c3a0
17-Nov-2021 06:17:13.844 expire_v4 set to MIN(2147483647,1637129843) import_rdataset
17-Nov-2021 06:17:13.844 dns_adb_createfind: found A for name ns.qnamemin-test.internet.nl (0x7fef8432c3a0) in db
17-Nov-2021 06:17:13.844 fctx 0x7fef80044e60(a.b.qnamemin-test.internet.nl/TXT): createfind for 127.0.0.1#35491/54667 - success
17-Nov-2021 06:17:13.844 socket 0x7fef8419c010: socket_recv: event 0x7fef841a0550 -> task 0x7fef849186d0
17-Nov-2021 06:17:13.844 sending packet to 185.49.140.61#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7077
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e77abc1b4903389a
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl. IN TXT
17-Nov-2021 06:17:14.236 socket 0x7fef8419c010: socket_recv: event 0x7fef841a0400 -> task 0x7fef849186d0
17-Nov-2021 06:17:14.236 received packet from 185.49.140.61#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7077
;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;a.b.qnamemin-test.internet.nl. IN TXT
;; ANSWER SECTION:
;a.b.qnamemin-test.internet.nl. 10 IN TXT "NO - QNAME minimisation is NOT enabled on your resolver :("
;; AUTHORITY SECTION:
;a.b.qnamemin-test.internet.nl. 10 IN NS ns.a.b.qnamemin-test.internet.nl.
;; ADDITIONAL SECTION:
;ns.a.b.qnamemin-test.internet.nl. 10 IN A 185.49.140.61
;ns.a.b.qnamemin-test.internet.nl. 10 IN AAAA 2a04:b900::8:0:0:61
17-Nov-2021 06:17:14.236 log_ns_ttl: fctx 0x7fef80044e60: rctx_answer: a.b.qnamemin-test.internet.nl (in 'qnamemin-test.internet.nl'?): 1 10
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: starting
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: attempting insecurity proof
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: checking existence of DS at 'nl'
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: checking existence of DS at 'internet.nl'
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: checking existence of DS at 'qnamemin-test.internet.nl'
17-Nov-2021 06:17:14.236 validating a.b.qnamemin-test.internet.nl/TXT: marking as answer (proveunsecure (4))
17-Nov-2021 06:17:14.236 validator @0x7fef80047440: dns_validator_destroy
17-Nov-2021 06:17:14.236 delete_node(): 0x7fef8482b940 ns.a.b.qnamemin-test.internet.nl (bucket 13)
17-Nov-2021 06:17:14.236 client @0x7fef808ae838 127.0.0.1#35491 (qnamemintest.internet.nl): reset client
17-Nov-2021 06:17:14.236 dns_adb_destroyfind on find 0x7fef84327e10
========== Before test 5
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992: UDP request
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992: using view '_default'
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992: request is not signed
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992: recursion available
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992 (qnamemintest.internet.nl): query: qnamemintest.internet.nl IN TXT + (127.0.0.1)
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992 (qnamemintest.internet.nl): query (cache) 'qnamemintest.internet.nl/TXT/IN' approved
17-Nov-2021 06:17:16.580 client @0x7fef78053e18 127.0.0.1#45992 (qnamemintest.internet.nl): reset client
======== done test 5
```
### What is the expected *correct* behavior?
We believe that served from cache or not, all requests should be minimized and this test should pass every time.
### Relevant logs and/or screenshots
We have `qname-minimization strict;` set in `named.conf.options`.
Beyond that and some logging changes, we are using the default configuration.
### Possible fixes
Wish I was that skilled to help out. I have previously opened https://gitlab.isc.org/isc-projects/bind9/-/issues/2665 which was similar, so some of the work there might be relevant.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3012BEGIN/END DNSSEC/MANAGED KEYS in bin/named/config.c are mismatched.2021-12-01T11:56:08ZMark AndrewsBEGIN/END DNSSEC/MANAGED KEYS in bin/named/config.c are mismatched.The current code is like this:
```
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
TRUST_ANCHORS
"# END MANAGED KEYS\n\
```
Which results in strange command lines if you want to ext...The current code is like this:
```
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
TRUST_ANCHORS
"# END MANAGED KEYS\n\
```
Which results in strange command lines if you want to extract the contents from the binary.
```
strings /usr/local/sbin/named | sed -n '/^# BEGIN DNSSEC KEYS/,/# END MANAGED KEYS/p'
```December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/issues/3009Set -DOPENSSL_SUPPRESS_DEPRECATED for 9.16 and 9.112022-03-01T09:44:10ZMark AndrewsSet -DOPENSSL_SUPPRESS_DEPRECATED for 9.16 and 9.11Given we are not planning to back port OpenSSL 3.0 changes to 9.16 and 9.11, perhaps we should just silence the deprecated warnings on these branches as they impact on --enable-developer / --enable-warn-error.Given we are not planning to back port OpenSSL 3.0 changes to 9.16 and 9.11, perhaps we should just silence the deprecated warnings on these branches as they impact on --enable-developer / --enable-warn-error.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/issues/3003Greedy regular expression causes intermittent "nsupdate" system test failures2021-11-10T01:51:51ZMichał KępieńGreedy regular expression causes intermittent "nsupdate" system test failuresOne of the checks in the `nsupdate` system test [prepares][1] an
`nsupdate` script by processing a response to a DNSKEY query.
Specifically, it attempts to change the TTL of the DNSKEY RRset (from 10
to 600). However, a greedy regular e...One of the checks in the `nsupdate` system test [prepares][1] an
`nsupdate` script by processing a response to a DNSKEY query.
Specifically, it attempts to change the TTL of the DNSKEY RRset (from 10
to 600). However, a greedy regular expression involved in that process
may cause DNSKEY RDATA to be mangled instead of the TTL:
https://gitlab.isc.org/isc-private/bind9/-/jobs/2088895
```
05-Nov-2021 11:50:17.573 received client packet from 10.53.0.3#60245
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 38838
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
;; ZONE SECTION:
;dnskey.test. IN SOA
;; UPDATE SECTION:
;dnskey.test. 600 IN DNSKEY 256 3 5 (
; AwEAAdS72SeIDeDR/y7ZxEToyLSQ
; Q/rm7f3dQBo/GK8RjRZTjTxMchRW
; itmi/kCJxSOW0rFV/ueWJTwcJbSq
; upYYo1bgNUGNmLDoYfPEDIsClZrK
; jaLjlSWb2v7nYGVuMpLGJX5D2NCm
; QJz5uOQR+b7r/8uSW1eQzodpsLTm
; XQCnuKvj
; ) ; ZSK; alg = RSASHA1 ; key id = 40375
;dnskey.test. 10 IN DNSKEY 257 3 5 (
; AwEAAa600INEzZ8hHtv3d2j5grzq
; 7gAvaWk2TxHTuFhRUuIVJxUNTpTa
; vHvSbZglx/AXSGIIgfXDKd0VVXTa
; sW0eewfCpjNol5Cgfnb+VlO5kmjW
; 6nr1UnLgd+H/sRdG1Ip8amR+D0Xi
; pYmXnOFuO2VvFRBizPlWCFu1sQFr
; sCRYXhB/
; ) ; KSK; alg = RSASHA1 ; key id = 19267
```
Note that the second DNSKEY RR still has a TTL of 10 seconds and
contains the string `600` in its RDATA. Looking at the contents of
`ns3/dnskey.test.db` confirms that the relevant RDATA originally
contained a string matching the regular expression `10.IN`, breaking the
replacement:
```
$TTL 10
dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
dnskey.test. IN NS dnskey.test.
dnskey.test. IN A 10.53.0.3
; This is a key-signing key, keyid 18947, for dnskey.test.
; Created: 20211105114907 (Fri Nov 5 11:49:07 2021)
; Publish: 20211105114907 (Fri Nov 5 11:49:07 2021)
; Activate: 20211105114907 (Fri Nov 5 11:49:07 2021)
dnskey.test. IN DNSKEY 257 3 5 AwEAAa100INEzZ8hHtv3d2j5grzq7gAvaWk2TxHTuFhRUuIVJxUNTpTa vHvSbZglx/AXSGIIgfXDKd0VVXTasW0eewfCpjNol5Cgfnb+VlO5kmjW 6nr1UnLgd+H/sRdG1Ip8amR+D0XipYmXnOFuO2VvFRBizPlWCFu1sQFr sCRYXhB/
```
This cannot end well:
```
05-Nov-2021 11:50:17.573 dns_dnssec_findzonekeys2: error reading Kdnskey.test.+005+19267.private: file not found
```
[1]: https://gitlab.isc.org/isc-projects/bind9/-/blob/b69dfd6a7503ebb02496e115c3c05cbbf5f5f4bc/bin/tests/system/nsupdate/tests.sh#L751-755December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/issues/2976Restore 'xsltproc' discovery for statistics system test 9.162021-11-02T14:58:34ZMark AndrewsRestore 'xsltproc' discovery for statistics system test 9.16xsltproc is used by the statistics system test and its discovery was removed in the transition to sphinx for documents.
```
I:statistics:checking bind9.xsl vs xml (16)
I:statistics:skipping test as libxml2 and/or curl and/or xsltproc wa...xsltproc is used by the statistics system test and its discovery was removed in the transition to sphinx for documents.
```
I:statistics:checking bind9.xsl vs xml (16)
I:statistics:skipping test as libxml2 and/or curl and/or xsltproc was not found
I:statistics:checking bind9.xml socket statistics (17)
I:statistics:skipping test as libxml2 and/or curl and/or xsltproc was not found
I:statistics:checking priming queries are counted (18)
I:statistics:Check that 'zone-statistics full;' is processed by 'rndc reconfig' (19)
I:statistics:exit status: 0
I:statistics:stopping servers
```November 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/bind9/-/issues/2972Bug in RSA keys comparing function2021-10-28T13:51:53ZArаm SаrgsyаnBug in RSA keys comparing functionWhen comparing different parameters of two RSA keys in `opensslrsa_compare()`, there is a typo in the code which causes the "p" prime factors to not being compared.When comparing different parameters of two RSA keys in `opensslrsa_compare()`, there is a typo in the code which causes the "p" prime factors to not being compared.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2947unexpected deletion of configured catalog zone2021-10-27T13:05:17ZMark Andrewsunexpected deletion of configured catalog zoneJob [#2034208](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2034208) failed for 8a962622f211d50a9da66aa4759685f1598b87eb:
dom1.example is deleted despite it being added.
```
11-Oct-2021 23:27:45.427 catz: dns_catz_add_zone catalog1...Job [#2034208](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2034208) failed for 8a962622f211d50a9da66aa4759685f1598b87eb:
dom1.example is deleted despite it being added.
```
11-Oct-2021 23:27:45.427 catz: dns_catz_add_zone catalog1.example
11-Oct-2021 23:27:45.427 catz: dns_catz_add_zone catalog2.example
11-Oct-2021 23:27:45.427 catz: dns_catz_add_zone catalog3.example
11-Oct-2021 23:27:45.427 /builds/isc-projects/bind9/bin/tests/system/catz/ns2/named.conf:39: catz: zone-directory 'nonexistent' not found; zone files will not be saved
11-Oct-2021 23:27:45.639 catz: updating catalog zone 'catalog1.example' with serial 1
11-Oct-2021 23:27:45.639 catz: update_from_db: iteration finished
11-Oct-2021 23:27:45.655 catz: update_from_db: new zone merged
11-Oct-2021 23:27:45.743 catz: updating catalog zone 'catalog3.example' with serial 1
11-Oct-2021 23:27:45.743 catz: update_from_db: iteration finished
11-Oct-2021 23:27:45.759 catz: update_from_db: new zone merged
11-Oct-2021 23:27:50.835 catz: updating catalog zone 'catalog1.example' with serial 2
11-Oct-2021 23:27:50.835 catz: update_from_db: iteration finished
11-Oct-2021 23:27:50.843 catz: iterating over 'dom1.example' from catalog 'catalog1.example'
11-Oct-2021 23:27:50.843 catz: adding zone 'dom1.example' from catalog 'catalog1.example' - success
11-Oct-2021 23:27:50.855 catz: update_from_db: new zone merged
11-Oct-2021 23:27:50.855 catz: new zone version came too soon, deferring update
11-Oct-2021 23:27:55.859 catz: updating catalog zone 'catalog1.example' with serial 2
11-Oct-2021 23:27:55.859 catz: update_from_db: iteration finished
11-Oct-2021 23:27:55.867 catz: iterating over 'dom1.example' from catalog 'catalog1.example'
11-Oct-2021 23:27:55.867 catz: deleting zone 'dom1.example' from catalog 'catalog1.example' - success
11-Oct-2021 23:27:55.879 catz: update_from_db: new zone merged
11-Oct-2021 23:27:55.879 catz: catz_delzone_taskaction: zone 'dom1.example' deleted
11-Oct-2021 23:28:00.747 catz: updating catalog zone 'catalog2.example' with serial 1
11-Oct-2021 23:28:00.747 catz: update_from_db: iteration finished
11-Oct-2021 23:28:00.767 catz: update_from_db: new zone merged
11-Oct-2021 23:28:02.863 catz: update already queued
11-Oct-2021 23:28:02.863 catz: updating catalog zone 'catalog1.example' with serial 3
11-Oct-2021 23:28:02.863 catz: update_from_db: iteration finished
11-Oct-2021 23:28:02.867 catz: deleting zone 'dom1.example' from catalog 'catalog1.example' - success
11-Oct-2021 23:28:02.879 catz: update_from_db: new zone merged
11-Oct-2021 23:28:02.879 catz: catz_delzone_taskaction: zone 'dom1.example' not found
11-Oct-2021 23:28:03.351 catz: new zone version came too soon, deferring update
11-Oct-2021 23:28:06.355 catz: updating catalog zone 'catalog2.example' with serial 2
11-Oct-2021 23:28:06.355 catz: update_from_db: iteration finished
11-Oct-2021 23:28:06.359 catz: iterating over 'dom4.example' from catalog 'catalog2.example'
11-Oct-2021 23:28:06.359 catz: adding zone 'dom4.example' from catalog 'catalog2.example' - success
11-Oct-2021 23:28:06.367 catz: update_from_db: new zone merged
11-Oct-2021 23:28:07.867 catz: new zone version came too soon, deferring update
11-Oct-2021 23:28:07.867 catz: update already queued
11-Oct-2021 23:28:08.871 catz: updating catalog zone 'catalog1.example' with serial 4
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - trash2.foo.catalog1.example IN A(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - trash.catalog1.example IN A(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - version.catalog1.example IN A(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - blahblah.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example IN TXT(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - foobarbaz.b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example IN APL(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example IN NS(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: unknown record in catalog zone - trash3.zones.catalog1.example IN NS(failure) - ignoring
11-Oct-2021 23:28:08.871 catz: update_from_db: iteration finished
```
Closer look at the zone disappearing while the TXT queries for the new records are being made.
```
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): ns__query_start
11-Oct-2021 23:27:54.819 client @0x7b7c00070178 10.53.0.1#39041 (dom1.example): query 'dom1.example/TXT/IN' approved
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_lookup
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_gotanswer
11-Oct-2021 23:27:54.819 client @0x7b7c00070178 10.53.0.1#39041 (dom1.example): rrl=(nil), HAVECOOKIE=0, result=DNS_R_NXRRSET, fname=0x7b5400030480(1), is_zone=1, RECURSIONOK=0, query.rpz_st=(nil)(0), RRL_CHECKED=0
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_checkrpz
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): rpz_rewrite
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_nodata
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_sign_nodata
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_addsoa
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_addrrset
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_setorder
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_additional
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_additional: done
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_addrrset: done
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): ns_query_done
11-Oct-2021 23:27:54.819 client @0x7b7c00070178 10.53.0.1#39041 (dom1.example): reset client
11-Oct-2021 23:27:54.819 query client=0x7b7c00070178 thread=0x7feb7696e700(dom1.example/TXT): query_reset
11-Oct-2021 23:27:55.435 client @0x7b7c0002f578 10.53.0.1#36757: received notify for zone 'dom1.example'
11-Oct-2021 23:27:55.435 zone dom1.example/IN: notify from 10.53.0.1#36757: serial 2
11-Oct-2021 23:27:55.435 queue_soa_query: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.435 soa_query: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.439 refresh_callback: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.439 refresh_callback: zone dom1.example/IN: serial: new 2, old 1
11-Oct-2021 23:27:55.439 queue_xfrin: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.439 zone dom1.example/IN: Transfer started.
11-Oct-2021 23:27:55.439 zone dom1.example/IN: requesting IXFR from 10.53.0.1#6200
11-Oct-2021 23:27:55.439 transfer of 'dom1.example/IN' from 10.53.0.1#6200: connected using 10.53.0.2#44285
11-Oct-2021 23:27:55.439 transfer of 'dom1.example/IN' from 10.53.0.1#6200: requesting IXFR for serial 1
11-Oct-2021 23:27:55.439 transfer of 'dom1.example/IN' from 10.53.0.1#6200: sent request data
11-Oct-2021 23:27:55.443 transfer of 'dom1.example/IN' from 10.53.0.1#6200: received 191 bytes
;dom1.example. IN IXFR
dom1.example. 3600 IN SOA . . 2 3600 3600 3600 3600
dom1.example. 3600 IN SOA . . 1 3600 3600 3600 3600
dom1.example. 3600 IN SOA . . 2 3600 3600 3600 3600
dom1.example. 0 IN TXT "added" "record"
dom1.example. 3600 IN SOA . . 2 3600 3600 3600 3600
11-Oct-2021 23:27:55.443 transfer of 'dom1.example/IN' from 10.53.0.1#6200: got incremental response
11-Oct-2021 23:27:55.443 journal file zonedir/__catz___default_catalog1.example_dom1.example.db.jnl does not exist, creating it
11-Oct-2021 23:27:55.443 del dom1.example. 3600 IN SOA . . 1 3600 3600 3600 3600
11-Oct-2021 23:27:55.447 add dom1.example. 3600 IN SOA . . 2 3600 3600 3600 3600
11-Oct-2021 23:27:55.447 add dom1.example. 0 IN TXT "added" "record"
11-Oct-2021 23:27:55.447 dns_zone_verifydb: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 zone_needdump: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 zone_settimer: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 zone dom1.example/IN: zone transfer finished: success
11-Oct-2021 23:27:55.447 zone dom1.example/IN: transferred serial 2
11-Oct-2021 23:27:55.447 zone_needdump: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 zone_settimer: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 zone_settimer: zone dom1.example/IN: enter
11-Oct-2021 23:27:55.447 transfer of 'dom1.example/IN' from 10.53.0.1#6200: Transfer status: success
11-Oct-2021 23:27:55.447 transfer of 'dom1.example/IN' from 10.53.0.1#6200: Transfer completed: 1 messages, 5 records, 191 bytes, 0.007 secs (27285 bytes/sec) (serial 2)
11-Oct-2021 23:27:55.447 transfer of 'dom1.example/IN' from 10.53.0.1#6200: freeing transfer context
11-Oct-2021 23:27:55.859 catz: updating catalog zone 'catalog1.example' with serial 2
11-Oct-2021 23:27:55.859 catz: update_from_db: iteration finished
11-Oct-2021 23:27:55.867 catz: iterating over 'dom1.example' from catalog 'catalog1.example'
11-Oct-2021 23:27:55.867 catz: deleting zone 'dom1.example' from catalog 'catalog1.example' - success
11-Oct-2021 23:27:55.879 catz: update_from_db: new zone merged
11-Oct-2021 23:27:55.879 calling free_rbtdb(dom1.example)
11-Oct-2021 23:27:55.879 done free_rbtdb(dom1.example)
11-Oct-2021 23:27:55.879 catz: catz_delzone_taskaction: zone 'dom1.example' deleted
11-Oct-2021 23:27:55.883 zone_shutdown: zone dom1.example/IN: shutting down
11-Oct-2021 23:27:56.027 query client=0x7b7c0001f978 thread=0x7feb78537700(dom1.example/TXT): qctx_init
11-Oct-2021 23:27:56.027 query client=0x7b7c0001f978 thread=0x7feb78537700(dom1.example/TXT): client attr:0x22300, query attr:0x700, restarts:0, origqname:dom1.example, timer:0, authdb:0, referral:0
11-Oct-2021 23:27:56.027 query client=0x7b7c0001f978 thread=0x7feb78537700(dom1.example/TXT): ns__query_start
11-Oct-2021 23:27:56.027 query client=0x7b7c0001f978 thread=0x7feb78537700(dom1.example/TXT): ns_query_done
11-Oct-2021 23:27:56.027 client @0x7b7c0001f978 10.53.0.1#34865 (dom1.example): query failed (REFUSED) for dom1.example/IN/TXT at query.c:5484
```
```
S:catz:2021-10-11T23:27:42+0000
T:catz:1:A
A:catz:System test catz
I:catz:PORTRANGE:6200 - 6299
I:catz:starting servers
I:catz:Testing adding/removing of domain in catalog zone
I:catz:checking that dom1.example. is not served by primary (1)
I:catz:Adding a domain dom1.example. to primary via RNDC (2)
I:catz:checking that dom1.example. is now served by primary (3)
I:catz:Adding domain dom1.example. to catalog1 zone (4)
I:catz:waiting for secondary to sync up (5)
I:catz:checking that dom1.example. is served by secondary (6)
I:catz:checking that zone-directory is populated (7)
I:catz:update dom1.example. (8)
I:catz:wait for secondary to be updated (9)
I:catz:failed
I:catz:check that journal was created for cleanup test (10)
I:catz:failed
```
- [x] Need to check v9.17November 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/bind9/-/issues/2938CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)2023-01-09T11:11:24ZMark AndrewsCID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)lib/dns/rpz.c:
```
2246
CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)
25. check_return: Calling isc_timer_reset without checking return value (as is done elsewhere 9 out of 10 times).
2247 isc_timer_...lib/dns/rpz.c:
```
2246
CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)
25. check_return: Calling isc_timer_reset without checking return value (as is done elsewhere 9 out of 10 times).
2247 isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL,
2248 NULL, true);
```Not plannedMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2935CID 339035 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)2021-10-14T14:17:09ZMark AndrewsCID 339035 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)signeedsfree doesn't correctly track whether sig.signature needs to be freed.
lib/dns/dnssec.c:
```
1054failure:
11. Condition dynbuf != NULL, taking false branch.
1055 if (dynbuf != NULL) {
1056 isc_buffer_f...signeedsfree doesn't correctly track whether sig.signature needs to be freed.
lib/dns/dnssec.c:
```
1054failure:
11. Condition dynbuf != NULL, taking false branch.
1055 if (dynbuf != NULL) {
1056 isc_buffer_free(&dynbuf);
1057 }
12. Condition signeedsfree, taking true branch.
1058 if (signeedsfree) {
CID 339035 (#1 of 1): Explicit null dereferenced (FORWARD_NULL)
13. var_deref_model: Passing null pointer sig.signature to isc__mem_put, which dereferences it. [show details]
1059 isc_mem_put(mctx, sig.signature, sig.siglen);
1060 }
1061 if (ctx != NULL) {
1062 dst_context_destroy(&ctx);
1063 }
```November 2021 (9.16.23, 9.16.23-S1, 9.17.20)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2933Bump the LLVM/clang version to 13.02021-10-27T11:13:14ZOndřej SurýBump the LLVM/clang version to 13.0The LLVM/clang 13.0 has been released and it fixes some `clang-format` issues that I've been seeing with `clang-format-12`. This needs to be done post-release.The LLVM/clang 13.0 has been released and it fixes some `clang-format` issues that I've been seeing with `clang-format-12`. This needs to be done post-release.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/stork/-/issues/583Statepuller - only one refresh at a time2021-11-16T14:28:25ZSlawek FigielStatepuller - only one refresh at a timetl;dr: Statepuller rarely return HTTP 500 on update an agent state, but it doesn't corrupt a database.
### Description
We have a hard-to-resolve race problem with updating machine state in the Stork ("statepuller.go", `GetMachineAndApp...tl;dr: Statepuller rarely return HTTP 500 on update an agent state, but it doesn't corrupt a database.
### Description
We have a hard-to-resolve race problem with updating machine state in the Stork ("statepuller.go", `GetMachineAndAppsState`). The problem occurs when the Stork tries refreshing an application state from multiple goroutines at the same time.
Refresh may be triggered by:
* On Stork start
* Periodically
* On user request
Some refresh procedures may be called at the same time. Refresh state looks like this:
1. Get state from an agent
2. Get state from a database
3. Calculate diff
4. Provide changes in the application
5. Provide changes in the subnets and others
Points 2, 4, and 5 are doing in a separate transaction. It may happen that after fetching state from the database (2.) and calculate diffs (3.) in one goroutine, another goroutine modified the application. It causes that the calculated diffs are incorrect. The exception is thrown from point 4. where the unique index constraints are checked.
It crashes on point 4. I try to fix it by handle the unique constraint violation. And it goes next to point 5. There aren't unique indexes - all pass through, but the subnets and other data are duplicated.
### Risk analysis
The problem is quite rare as it occurs only when the state of a new agent is inserted. It shouldn't be also very dangerous as the unique constraints protect the database against duplication of data.
But it may be a problem if somebody wants to use Stork API in the external project (as API unexpectedly returns HTTP 500) or it may interrupt processing in a function that calls the state update.backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2915False positive with CVE-2020-8622 regression test2022-04-07T13:14:12ZMark AndrewsFalse positive with CVE-2020-8622 regression testIf the timeout for between successive queries has been shortened for
```
I:tsig:check that a malformed truncated response to a TSIG query is handled
```
the test can fail. The default is +time=5, if it is set to 1 (e.g. via .digrc)
na...If the timeout for between successive queries has been shortened for
```
I:tsig:check that a malformed truncated response to a TSIG query is handled
```
the test can fail. The default is +time=5, if it is set to 1 (e.g. via .digrc)
named is still performing lookups when dig times out.Not plannedMark AndrewsMark Andrews