ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2020-02-03T09:17:36Zhttps://gitlab.isc.org/isc-projects/stork/-/issues/131Detect BIND 9 control port and pid2020-02-03T09:17:36ZMatthijs Mekkingmatthijs@isc.orgDetect BIND 9 control port and pidIt was left out of 0.3It was left out of 0.3Stork-0.4https://gitlab.isc.org/isc-projects/stork/-/issues/130Add rndc support2020-02-03T09:17:40ZMatthijs Mekkingmatthijs@isc.orgAdd rndc support- Add an utility function to the Stork agent to invoke rndc without having to repeat `rndc`, `-k` and the key location.
- Retrieve `rndc` credentials from `named.conf` file.
- Create an interface for interacting with `rndc`, so as it can...- Add an utility function to the Stork agent to invoke rndc without having to repeat `rndc`, `-k` and the key location.
- Retrieve `rndc` credentials from `named.conf` file.
- Create an interface for interacting with `rndc`, so as it can be replaced with some `rndc` mocking object that will be useful in unit testing.Stork-0.4https://gitlab.isc.org/isc-projects/stork/-/issues/129When switching between BIND 9 and Kea apps, app type is cached2020-01-13T14:23:47ZMatthijs Mekkingmatthijs@isc.orgWhen switching between BIND 9 and Kea apps, app type is cachedWhen switching between BIND 9 and Kea apps, app type is cached. As a result, Kea apps are shown under BIND 9 tabs and vice versa.When switching between BIND 9 and Kea apps, app type is cached. As a result, Kea apps are shown under BIND 9 tabs and vice versa.Stork-0.4https://gitlab.isc.org/isc-projects/bind9/-/issues/1549dnssec-keymgr --force has no effect2021-10-05T07:21:48ZPetr Menšíkdnssec-keymgr --force has no effect<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
dnssec-keymgr --force would not enforce any expected action
### BIND version used
```
BIND 9.11.14-RedHat-9.11.14-2.fc30 (Extended Support Version) <id:ea40923>
running on Linux x86_64 5.3.16-200.fc30.x86_64 #1 SMP Fri Dec 13 17:48:38 UTC 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--with-libidn2' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 9.2.1 20190827 (Red Hat 9.2.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1d FIPS 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d FIPS 10 Sep 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
```
The same behaviour is present on current master branch as well.
### Steps to reproduce
Reported by our tester in [bug 1625957](https://bugzilla.redhat.com/show_bug.cgi?id=1625957), he expected to enforce new rollover.
```
dnssec-keymgr example
# /usr/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example
# /usr/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 example
ZSK=$(grep zone-signing -l Kexample* | sed -e 's/\.key$//')
dnssec-settime -K . -P -2mo -A -2mo $ZSK
dnssec-settime -K . -p all $ZSK
dnssec-keymgr example
dnssec-keymgr -f example
dnssec-settime -K . -p all $ZSK
```
### What is the current *bug* behavior?
-f has no effect
to regenerate keys I have to delete all and run again
### What is the expected *correct* behavior?
remove -f or add expected behavior. Expected was new key generation.
### Relevant logs and/or screenshots
### Possible fixes
args.force is passed into [enforce_policy](https://gitlab.isc.org/isc-projects/bind9/blob/master/bin/python/isc/keyseries.py.in#L182) method, passed to [fixseries](https://gitlab.isc.org/isc-projects/bind9/blob/master/bin/python/isc/keyseries.py.in#L60). Then it is never used. Just presence of ksk and zsk is checked, time is not compared and force is never used.
- Remove --force option if not useful
- Fix manual or functionality and make it more clear what is it supposed to do.https://gitlab.isc.org/isc-projects/stork/-/issues/128UI shows kea app in Bind 9 router link2020-06-05T06:38:33ZMatthijs Mekkingmatthijs@isc.orgUI shows kea app in Bind 9 router linkhttp://localhost:8080/apps/bind9/1
This in `rake docker_up` will show kea app.http://localhost:8080/apps/bind9/1
This in `rake docker_up` will show kea app.Stork-0.4https://gitlab.isc.org/isc-projects/bind9/-/issues/1548Pfsense Bind DNS HA cfg problem2020-01-08T10:34:17ZGhost UserPfsense Bind DNS HA cfg problem
Hy!
I have a problem with my Bind dns server.
Now we are runing on HA cfg and if i change the ha to my backup node the bind dns is not working properly.
It looks like the cfg changes sync working but on the secondary node the resultin...
Hy!
I have a problem with my Bind dns server.
Now we are runing on HA cfg and if i change the ha to my backup node the bind dns is not working properly.
It looks like the cfg changes sync working but on the secondary node the resulting zone cfg file field is empty.
I dont know why.
![pfsense_bind](/uploads/7efb0297b0370d17aac73fbf69149c32/pfsense_bind.jpg)
On the primary node it is filled.
Somebody expert give me some help about this?
Thanks for the help!
bolvarhttps://gitlab.isc.org/isc-projects/stork/-/issues/127Rename app-kea-daemons-tabs2020-02-04T13:00:12ZMatthijs Mekkingmatthijs@isc.orgRename app-kea-daemons-tabsIn webui: app-kea-daemons-tabs should be renamed to app-kea-app-tabIn webui: app-kea-daemons-tabs should be renamed to app-kea-app-tabStork-0.4https://gitlab.isc.org/isc-projects/stork/-/issues/126prepare 2 containers with agent and kea configured for HA2020-01-10T05:06:07ZMichal Nowikowskiprepare 2 containers with agent and kea configured for HAStork-0.3Michal NowikowskiMichal Nowikowskihttps://gitlab.isc.org/isc-projects/kea/-/issues/1081Feature Request: Please package the Kea Migration Tool currently available as...2020-07-08T18:55:38ZCathy AlmondFeature Request: Please package the Kea Migration Tool currently available as part of ISC DHCPFrom Support ticket [#15806](https://support.isc.org/Ticket/Display.html?id=15806)
Packaged Kea is available.
Those migrating from ISC DHCP to packaged Kea and wanting to use the Kea Migration Tool (KeaMA) are not able to obtain a pack...From Support ticket [#15806](https://support.isc.org/Ticket/Display.html?id=15806)
Packaged Kea is available.
Those migrating from ISC DHCP to packaged Kea and wanting to use the Kea Migration Tool (KeaMA) are not able to obtain a packaged version of it, even though Kea itself is available as a package.
There will be many interested in trying Kea who previously have been using an OS distribution of ISC DHCP, trying Kea with an ISC packaged version so that they don't have to build it themselves. Finding that the migration tool can only be obtained via the ISC DHCP tarball and a self-build is somewhat of an awkward surprise.
Notably, although the decision was taken originally to house the migration tool with ISC DHCP (on the basis that only users of ISC DHCP thinking about migrating to Kea who would be interested in using it), the reality is more that it's only new/potential users of Kea who might be interested in using it, and of those, some will be using ISC DHCP self-builds while others will be using packaged OS vendor DHCP. Therefore I think we should look at this packaging request/suggestion as coming from the Kea side of the house, not from ISC DHCP.kea1.7.10https://gitlab.isc.org/isc-projects/stork/-/issues/124version bump up2020-01-07T16:18:17ZWlodzimierz Wencelversion bump upchange version from 0.2.0 to 0.3.0change version from 0.2.0 to 0.3.0Stork-0.3Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/stork/-/issues/123Delete machine does not delete apps2020-01-27T08:38:16ZMatthijs Mekkingmatthijs@isc.orgDelete machine does not delete appsDelete machine sets a time in the `deleted` column in the database. This will no longer show the machine in the UI.
However, there is no update to the machine's applications and they will stay visible on the Dashboard.Delete machine sets a time in the `deleted` column in the database. This will no longer show the machine in the UI.
However, there is no update to the machine's applications and they will stay visible on the Dashboard.Stork-0.4Michal NowikowskiMichal Nowikowskihttps://gitlab.isc.org/isc-projects/stork/-/issues/122Update documentation for Stork 0.3 HA feature2020-01-10T10:54:30ZMarcin SiodelskiUpdate documentation for Stork 0.3 HA featureThe #110 introduce High Availability monitoring for Kea. This feature requires documentation that describes how it works and what it presents. Also, the limitations have to be mentioned.The #110 introduce High Availability monitoring for Kea. This feature requires documentation that describes how it works and what it presents. Also, the limitations have to be mentioned.Stork-0.3Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/1547Out-of-tree build fails with uverr2result.c:15:10: fatal error: isc/platform....2020-01-09T09:24:41ZMichal NowakOut-of-tree build fails with uverr2result.c:15:10: fatal error: isc/platform.h: No such file or directoryOut-of-tree build fails with:
```
libtool: compile: gcc -include /builds/isc-projects/bind9/workspace/config.h -I/builds/isc-projects/bind9/workspace -I../../../.. -I../../../../lib/isc/netmgr/../include -I../../../../lib/isc/netmgr/../...Out-of-tree build fails with:
```
libtool: compile: gcc -include /builds/isc-projects/bind9/workspace/config.h -I/builds/isc-projects/bind9/workspace -I../../../.. -I../../../../lib/isc/netmgr/../include -I../../../../lib/isc/netmgr/../unix/include -I../../../../lib/isc/netmgr/../pthreads/include -I../../../../lib/isc/netmgr/.. -I/usr/include/json-c -I/usr/include/libxml2 -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra -O3 -pthread -I/usr/include/google -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -Wshadow -Werror -c ../../../../lib/isc/netmgr/tcp.c -fPIC -DPIC -o .libs/tcp.o
../../../../lib/isc/netmgr/uverr2result.c:15:10: fatal error: isc/platform.h: No such file or directory
15 | #include <isc/platform.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:185: uverr2result.lo] Error 1
In file included from ../../../../lib/isc/netmgr/../include/isc/buffer.h:105,
from ../../../../lib/isc/netmgr/udp.c:16:
../../../../lib/isc/netmgr/../include/isc/assertions.h:20:10: fatal error: isc/platform.h: No such file or directory
20 | #include <isc/platform.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:185: udp.lo] Error 1
In file included from ../../../../lib/isc/netmgr/../include/isc/buffer.h:105,
from ../../../../lib/isc/netmgr/tcpdns.c:16:
../../../../lib/isc/netmgr/../include/isc/assertions.h:20:10: fatal error: isc/platform.h: No such file or directory
20 | #include <isc/platform.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
In file included from ../../../../lib/isc/netmgr/../include/isc/buffer.h:105,
from ../../../../lib/isc/netmgr/netmgr.c:17:
../../../../lib/isc/netmgr/../include/isc/assertions.h:20:10: fatal error: isc/platform.h: No such file or directory
20 | #include <isc/platform.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
In file included from ../../../../lib/isc/netmgr/../include/isc/buffer.h:105,
from ../../../../lib/isc/netmgr/tcp.c:17:
../../../../lib/isc/netmgr/../include/isc/assertions.h:20:10: fatal error: isc/platform.h: No such file or directory
20 | #include <isc/platform.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:185: tcpdns.lo] Error 1
make[3]: *** [Makefile:185: tcp.lo] Error 1
make[3]: *** [Makefile:185: netmgr.lo] Error 1
make[3]: Target 'all' not remade because of errors.
make[3]: Leaving directory '/builds/isc-projects/bind9/workspace/lib/isc/netmgr'
make[2]: *** [Makefile:212: subdirs] Error 1
```
We had a similar one recently in 9.14 branch: https://gitlab.isc.org/isc-projects/bind9/issues/1530.January 2020 (9.11.15, 9.14.10, 9.15.8, 9.11.15-S)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1546Add out-of-tree build to CI2020-01-09T09:43:43ZMichal NowakAdd out-of-tree build to CIIt seems that all our CI build jobs build BIND while in it's sources, hence https://gitlab.isc.org/isc-projects/bind9/issues/1530 was present for some time and only identified when the BIND package was being updated in distributions, whi...It seems that all our CI build jobs build BIND while in it's sources, hence https://gitlab.isc.org/isc-projects/bind9/issues/1530 was present for some time and only identified when the BIND package was being updated in distributions, which happened to build out-of-tree.
We should add an out-of-tree build job to the CI.January 2020 (9.11.15, 9.14.10, 9.15.8, 9.11.15-S)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1545Missing test for dnssec-policy CDNSKEY publication2020-03-09T08:21:36ZMatthijs Mekkingmatthijs@isc.orgMissing test for dnssec-policy CDNSKEY publicationThere is a test for CDS publication and removal, add a similar one for CDNSKEY.There is a test for CDS publication and removal, add a similar one for CDNSKEY.February 2020 (9.11.16, 9.14.11, 9.16.0, 9.16.0-S)https://gitlab.isc.org/isc-projects/bind9/-/issues/1544dnssec-keymgr fails with "Publish time for key is already past", for successo...2021-10-05T07:21:35ZGraham Clinchdnssec-keymgr fails with "Publish time for key is already past", for successor keys after their publish time### Summary
dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)
### BIND version used
```
BIND 9.14.9 (Stable Relea...### Summary
dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)
### BIND version used
```
BIND 9.14.9 (Stable Release) <id:623e23e>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled
default paths:
named configuration: /usr/local/Cellar/bind/9.14.9/etc/named.conf
rndc configuration: /usr/local/Cellar/bind/9.14.9/etc/rndc.conf
DNSSEC root key: /usr/local/Cellar/bind/9.14.9/etc/bind.keys
nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key
named PID file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid
named lock file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock
```
### Steps to reproduce
Start in an empty directory, create a key, move its publication and activation times before the roll-period (simulating importing keys created a long time ago), and run dnssec-keymgr again to create the successor key:
```
$ dnssec-keymgr -z example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net
$ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+35355
./Kexample.net.+008+35355.key
./Kexample.net.+008+35355.private
$ dnssec-keymgr -z
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204231440 -D 20200305231440 Kexample.net.+008+35355
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+35355 -L 3600 -i 2592000
$ dnssec-coverage
WARNING: Maximum TTL value was not specified. Using 1 week
(604800 seconds); re-run with the -m option to get more
accurate results.
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.net, algorithm RSASHA256...
ERROR: No KSK events found
Checking scheduled ZSK events for zone example.net, algorithm RSASHA256...
Thu Jan 01 00:00:00 UTC 2015:
Publish: example.net/RSASHA256/35355 (ZSK)
Activate: example.net/RSASHA256/35355 (ZSK)
Sun Jan 05 23:14:40 UTC 2020:
Publish: example.net/RSASHA256/30624 (ZSK)
Tue Feb 04 23:14:40 UTC 2020:
Activate: example.net/RSASHA256/30624 (ZSK)
Inactive: example.net/RSASHA256/35355 (ZSK)
Thu Mar 05 23:14:40 UTC 2020:
Delete: example.net/RSASHA256/35355 (ZSK)
No errors found
$ date
Sun 5 Jan 2020 23:09:45 GMT
$
```
Wait until after the publish time, then call dnssec-keymgr again:
```
$ date
Sun 5 Jan 2020 23:15:09 GMT
$ dnssec-keymgr -z
Unable to apply policy: example.net/RSASHA256: Publish time for key example.net/RSASHA256/30624 (1578266080) is already past
$ echo $?
1
$
```
### What is the current *bug* behavior?
dnssec-keymgr fails to complete.
### What is the expected *correct* behavior?
dnssec-keymgr completes successfully (no actions are required of it for this zone).
### Relevant configuration files
None
### Relevant logs and/or screenshots
None
### Possible fixes
Unknownhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1543dnssec-keymgr, if called frequently, may repeatedly move successor key public...2023-03-16T11:03:08ZGraham Clinchdnssec-keymgr, if called frequently, may repeatedly move successor key publication/activation times forward### Summary
Calling dnssec-keymgr every five minutes or more rapidly will cause any successor keys' publication/activation times to move indefinitely forward, preventing the rollover from occuring.
I believe this is a regression caused...### Summary
Calling dnssec-keymgr every five minutes or more rapidly will cause any successor keys' publication/activation times to move indefinitely forward, preventing the rollover from occuring.
I believe this is a regression caused by the fix for GL #848 "dnssec-keymgr: Add a five-minute margin to better handle key events close to 'now'".
### BIND version used
```
$ named -V
BIND 9.14.9 (Stable Release) <id:623e23e>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled
default paths:
named configuration: /usr/local/Cellar/bind/9.14.9/etc/named.conf
rndc configuration: /usr/local/Cellar/bind/9.14.9/etc/rndc.conf
DNSSEC root key: /usr/local/Cellar/bind/9.14.9/etc/bind.keys
nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key
named PID file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid
named lock file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock
$
```
### Steps to reproduce
Start in an empty directory, create keys for a zone, then move the ZSK's publication and activation times before the roll-period (simulating importing keys created a long time ago):
```
$ dnssec-keymgr example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 example.net
$ fgrep signing *.key
Kexample.net.+008+39648.key:; This is a zone-signing key, keyid 39648, for example.net.
Kexample.net.+008+61345.key:; This is a key-signing key, keyid 61345, for example.net.
$ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+39648
./Kexample.net.+008+39648.key
./Kexample.net.+008+39648.private
```
Run dnssec-keymgr to see a successor key created, then repeatedly run dnssec-keymgr to see the old key's inactivation and deletion times and the new key's publication and activation keys move forward on each call:
```
$ dnssec-keymgr
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204224432 -D 20200305224432 Kexample.net.+008+39648
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+39648 -L 3600 -i 2592000
$ dnssec-keymgr
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204224440 -D 20200305224440 Kexample.net.+008+39648
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -P 20200105224440 -A 20200204224440 Kexample.net.+008+46923
$ dnssec-keymgr
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204224445 -D 20200305224445 Kexample.net.+008+39648
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -P 20200105224445 -A 20200204224445 Kexample.net.+008+46923
$ dnssec-keymgr
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204224450 -D 20200305224450 Kexample.net.+008+39648
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -P 20200105224450 -A 20200204224450 Kexample.net.+008+46923
$ dnssec-keymgr
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204224455 -D 20200305224455 Kexample.net.+008+39648
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -P 20200105224455 -A 20200204224455 Kexample.net.+008+46923
$
```
### What is the current *bug* behavior?
Frequent calls to dnssec-keymgr cause key times to be continuously pushed into the future, causing keys to never roll.
### What is the expected *correct* behavior?
Frequent calls to dnssec-keymgr should not interfere with key timing.
### Relevant configuration files
None
### Relevant logs and/or screenshots
None
### Possible fixes
Unclearhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1542Silent failure of build when creating a new RR Type if CODE is out of range2021-10-27T13:18:43ZGhost UserSilent failure of build when creating a new RR Type if CODE is out of range
### Summary
If you are attempting to add a new RR_TYPE and select a number greater than 65535 (which you shouldn't and in my case was a typo of 65635) then it appears to build but silently ignores the new type
### BIND version used
B...
### Summary
If you are attempting to add a new RR_TYPE and select a number greater than 65535 (which you shouldn't and in my case was a typo of 65635) then it appears to build but silently ignores the new type
### BIND version used
BIND 9.15.7 (Development Release) <id:993633ad96>
running on Linux x86_64 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019
built by make with defaults
### Steps to reproduce
Add a new RR type with an invalid number
### What is the current *bug* behavior?
Code appears to successfully build but does not include the new type
### What is the expected *correct* behavior?
Should issue an error that the code is out of rangeNovember 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/bind9/-/issues/1541dnssec-coverage and dnssec-keymgr do not understand escaped filename format u...2021-10-05T07:17:15ZGraham Clinchdnssec-coverage and dnssec-keymgr do not understand escaped filename format used by dnssec-keygen### Summary
dnssec-keygen can generate filenames with escaped characters (eg '%2F'), which dnssec-coverage and dnssec-keymgr do not identify as related to a zone they are working on.
### BIND version used
BIND 9.14.8 (Stable Release) ...### Summary
dnssec-keygen can generate filenames with escaped characters (eg '%2F'), which dnssec-coverage and dnssec-keymgr do not identify as related to a zone they are working on.
### BIND version used
BIND 9.14.8 (Stable Release) <id:5d87f66>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.8' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.8/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12)
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled
default paths:
named configuration: /usr/local/Cellar/bind/9.14.8/etc/named.conf
rndc configuration: /usr/local/Cellar/bind/9.14.8/etc/rndc.conf
DNSSEC root key: /usr/local/Cellar/bind/9.14.8/etc/bind.keys
nsupdate session key: /usr/local/Cellar/bind/9.14.8/var/run/named/session.key
named PID file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.pid
named lock file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.lock
### Steps to reproduce
Assume two reverse zones - one using RFC 2317 style names containing a '/':
- c.b.a.in-addr.arpa
- d/len.c.b.a.in-addr.arpa
#### dnssec-coverage
Run dnssec-keygen in an empty directory, and list the resulting files:
```
$ dnssec-keygen -a RSASHA256 c.b.a.in-addr.arpa
Generating key pair.......+++++ ..........................+++++
Kc.b.a.in-addr.arpa.+008+35658
$ dnssec-keygen -a RSASHA256 d/len.c.b.a.in-addr.arpa
Generating key pair..............................................+++++ ..........+++++
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751
$ ls -1
Kc.b.a.in-addr.arpa.+008+35658.key
Kc.b.a.in-addr.arpa.+008+35658.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.private
$
```
Notice the filename does not contain the literal '/' character.
Run dnssec-coverage:
```
$ dnssec-coverage c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified. Using 1 week
(604800 seconds); re-run with the -m option to get more
accurate results.
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...
ERROR: No KSK events found
Checking scheduled ZSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...
Sat Jan 04 14:59:00 UTC 2020:
Publish: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)
Activate: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)
No errors found
$ dnssec-coverage d/len.c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified. Using 1 week
(604800 seconds); re-run with the -m option to get more
accurate results.
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
ERROR: No key events found for d/len.c.b.a.in-addr.arpa
$
```
dnssec-coverage does not discover the files for d/len.c.b.a.in-addr.arpa.
#### dnssec-keymgr
Run dnssec-keymgr in an empty directory, and list the resulting files:
```
$ dnssec-keymgr c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
$
```
Run dnssec-keymgr again, and list the resulting files:
```
$ dnssec-keymgr c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.private
$
```
dnssec-keymgr does not discover the files for d/len.c.b.a.in-addr.arpa, so calls keygen again.
### What is the current *bug* behavior?
dnssec-coverage and dnssec-keymgr do not discover existing files whose name on the filesystem has been generated by encoding/escaping the zone name.
### What is the expected *correct* behavior?
dnssec-coverage and dnssec-keymgr should perform the same escaping/encoding of zone names as dnssec-keygen does, before searching the filesystem.
### Relevant configuration files
None
### Relevant logs and/or screenshots
None
### Possible fixes
Unknownhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1540bind 9.14.8 and 9.14.9 aborts when queried for non-existing domain in chaos c...2020-01-22T20:24:48ZGhost Userbind 9.14.8 and 9.14.9 aborts when queried for non-existing domain in chaos class### Summary
Bind 9.14.8 and 9.14.9 get killed by signal 6 (SIGABRT on FreeBSD) due to an assertion in name.c:2174 when queried for any non-existing RR in the CH class if you manually configured a view CHAOS in named.conf
### BIND v...### Summary
Bind 9.14.8 and 9.14.9 get killed by signal 6 (SIGABRT on FreeBSD) due to an assertion in name.c:2174 when queried for any non-existing RR in the CH class if you manually configured a view CHAOS in named.conf
### BIND version used
```
BIND 9.14.9 (Stable Release) <id:623e23e>
running on FreeBSD amd64 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-openssl=/usr' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-fixed-rrset' '--without-geoip2' '--without-gssapi' '--with-libidn2=/usr/local' '--without-libjson' '--disable-largefile' '--without-lmdb' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=large' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
`dig @<IP-ADDRESS-OF-NAMESERVER> id.server txt ch`
`dig @<IP-ADDRESS-OF-NAMESERVER> foo.bar soa ch`
### What is the current *bug* behavior?
named process gets killed due to the assertion
### What is the expected *correct* behavior?
named should not crash and reply with NXDOMAIN
### Relevant configuration files
named.conf:
```
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
memstatistics-file "/var/stats/named.memstats";
zone-statistics yes;
listen-on { any; };
listen-on-v6 { any; };
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
allow-query { any; };
allow-query-cache { any; };
allow-recursion { any; };
allow-transfer { none; };
max-cache-size 1024M;
};
view "in" IN {
zone "." { type hint; file "/etc/namedb/named.root"; };
}
view "chaos" CHAOS {
zone "bind" CHAOS {
type master;
file "/etc/namedb/bind.chaos";
};
};
```
/etc/namedb/bind.chaos:
```
$TTL 3600
@ CHAOS SOA @ @ 1970010100 86400 600 86400 300
@ CHAOS NS @
version CHAOS TXT "Felix' DNS Server V0.1"
hostname CHAOS TXT "there.is.no.hostname"
```
### Relevant logs and/or screenshots
```
04-Jan-2020 07:32:34.140 general: critical: name.c:2174: REQUIRE(source->length > 0) failed, back trace
04-Jan-2020 07:32:34.140 general: critical: #0 0x2c0ff0 in ??
04-Jan-2020 07:32:34.140 general: critical: #1 0x49686a in ??
04-Jan-2020 07:32:34.140 general: critical: #2 0x37f28b in ??
04-Jan-2020 07:32:34.140 general: critical: #3 0x3e5fb1 in ??
04-Jan-2020 07:32:34.140 general: critical: #4 0x3043e2 in ??
04-Jan-2020 07:32:34.140 general: critical: #5 0x307c07 in ??
04-Jan-2020 07:32:34.140 general: critical: #6 0x303ed0 in ??
04-Jan-2020 07:32:34.140 general: critical: #7 0x3025b0 in ??
04-Jan-2020 07:32:34.140 general: critical: #8 0x306393 in ??
04-Jan-2020 07:32:34.140 general: critical: #9 0x2f9058 in ??
04-Jan-2020 07:32:34.140 general: critical: #10 0x4b2662 in ??
04-Jan-2020 07:32:34.140 general: critical: #11 0x800a38736 in ??
04-Jan-2020 07:32:34.140 general: critical: exiting (due to assertion failure)
```
### Possible fixes
Use server-id, version, and hostname in the global option section of named.conf.February 2020 (9.11.16, 9.14.11, 9.16.0, 9.16.0-S)