ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-01-08T13:29:07Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2355Incorrect increment of inactive in rbtdb.c:maybe_free_rbtdb()2021-01-08T13:29:07ZMark AndrewsIncorrect increment of inactive in rbtdb.c:maybe_free_rbtdb()It is possible to have two threads destroying an rbtdb at the same time when detachnode() executes and removes the last reference to a node between exiting being set to true for the node and testing if the references are zero in maybe_fr...It is possible to have two threads destroying an rbtdb at the same time when detachnode() executes and removes the last reference to a node between exiting being set to true for the node and testing if the references are zero in maybe_free_rbtdb().
```
Thread 18 (Thread 80113ef00 (LWP 100776/<unknown>)):
#0 0x0000000800d5843a in _umtx_op () from /home/support/XXXXXXX/lib/libc.so.7
#1 0x0000000800c7e9dd in pthread_mutex_unlock () from /home/support/XXXXXXX/lib/libthr.so.3
#2 0x00000000006c31ba in task_ready (task=0x805272c80) at task.c:424
#3 0x00000000006c3412 in isc_task_sendto (task0=0x805272c80, eventp=0x7fffdfdfc208, c=1) at task.c:570
#4 0x00000000006c3232 in isc_task_send (task0=0x805272c80, eventp=0x7fffdfdfc208) at task.c:517
#5 0x0000000000491e72 in free_rbtdb (rbtdb=0x827229aa0, log=true, event=0x0) at rbtdb.c:1122
#6 0x000000000049760f in detachnode (db=0x827229aa0, targetp=0x7fffdfdfcaa0) at rbtdb.c:5477
#7 0x00000000004a0cdf in rdataset_disassociate (rdataset=0x82f4d2f48) at rbtdb.c:8816
#8 0x00000000005452bd in dns_rdataset_disassociate (rdataset=0x82f4d2f48) at rdataset.c:111
#9 0x0000000000441c40 in msgresetnames (msg=0x82f4c74a0, first_section=0) at message.c:465
#10 0x000000000043b95d in msgreset (msg=0x82f4c74a0, everything=false) at message.c:551
#11 0x000000000043b907 in dns_message_reset (msg=0x82f4c74a0, intent=1) at message.c:779
#12 0x000000000036a02d in ns_client_endrequest (client=0x82ecd8b60) at client.c:229
#13 0x0000000000369a2c in ns__client_reset_cb (client0=0x82ecd8b60) at client.c:1536
#14 0x00000000006a67a6 in isc_nmhandle_detach (handlep=0x7fffdfdfcc58) at netmgr.c:1261
#15 0x00000000006a7552 in isc__nm_uvreq_put (req0=0x7fffdfdfcc98, sock=0x83b1e1a00) at netmgr.c:1393
#16 0x00000000006b073f in tcpdnssend_cb (handle=0x83b98aa00, result=54, cbarg=0x83e174800) at tcpdns.c:539
#17 0x00000000006adbc9 in tcp_send_cb (req=0x82fbaf278, status=-32) at tcp.c:1024
#18 0x0000000800c3edcc in uv__stream_destroy () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#19 0x0000000800c3e717 in uv__stream_init () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#20 0x0000000800c341eb in uv_run () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#21 0x00000000006a28df in nm_thread (worker0=0x8011e93a8) at netmgr.c:488
#22 0x0000000800c76736 in pthread_create () from /home/support/XXXXXXX/lib/libthr.so.3
#23 0x0000000000000000 in ?? ()
Thread 12 (Thread 801140d00 (LWP 100782/<unknown>)):
#0 0x0000000800e4f1ba in thr_kill () from /home/support/XXXXXXX/lib/libc.so.7
#1 0x0000000800e4d5e4 in raise () from /home/support/XXXXXXX/lib/libc.so.7
#2 0x0000000800dc17e9 in abort () from /home/support/XXXXXXX/lib/libc.so.7
#3 0x0000000000300f21 in assertion_failed (file=0x252469 "rbtdb.c", line=1146, type=isc_assertiontype_require, cond=0x28ef26 "isc_refcount_current(&rbtdb->node_locks[i].references) == 0") at main.c:261
#4 0x000000000067dd18 in isc_assertion_failed (file=0x252469 "rbtdb.c", line=1146, type=isc_assertiontype_require, cond=0x28ef26 "isc_refcount_current(&rbtdb->node_locks[i].references) == 0") at assertions.c:46
#5 0x000000000049207c in free_rbtdb (rbtdb=0x827229aa0, log=true, event=0x0) at rbtdb.c:1146
#6 0x00000000004b16de in free_rbtdb_callback (task=0x805272c80, event=0x836d08768) at rbtdb.c:843
#7 0x00000000006ca483 in dispatch (manager=0x801d5c780, threadid=1) at task.c:1152
#8 0x00000000006c5ed1 in run (queuep=0x801d5d7c8) at task.c:1344
#9 0x0000000800c76736 in pthread_create () from /home/support/XXXXXXX/lib/libthr.so.3
#10 0x0000000000000000 in ?? ()
```January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/kea/-/issues/1637Unnecessarily enforced -Werror in perfdhcp Makefiles2021-01-08T13:09:40ZAndrei Pavelandrei@isc.orgUnnecessarily enforced -Werror in perfdhcp MakefilesNoticed a compilation error on FreeBSD which was caused by these fringe `-Werror`s. They are the only ones out of all the `Makefile.am`s.
```
src/bin/perfdhcp/Makefile.am
6:AM_CPPFLAGS += -Werror
src/bin/perfdhcp/tests/Makefile.am
7:AM...Noticed a compilation error on FreeBSD which was caused by these fringe `-Werror`s. They are the only ones out of all the `Makefile.am`s.
```
src/bin/perfdhcp/Makefile.am
6:AM_CPPFLAGS += -Werror
src/bin/perfdhcp/tests/Makefile.am
7:AM_CPPFLAGS += -Werror
```
I suggest to remove them. The proper way to enable `-Werror` is `--with-werror` which enables it everywhere.kea1.9.4Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2366BIND 9.16.10 build fails with libmaxminddb-1.4.32021-01-08T11:54:20ZGreg RabilBIND 9.16.10 build fails with libmaxminddb-1.4.3Having compile problems when building BIND 9.16.10 on CentOS 7 with support for GeoIP using MaxMindDB 1.4.3:
```
./configure --with-openssl=/opt/bind916/openssl --with-maxminddb=/opt/bind916/maxminddb
make
<...snip...>
gcc -std=gnu99 -g...Having compile problems when building BIND 9.16.10 on CentOS 7 with support for GeoIP using MaxMindDB 1.4.3:
```
./configure --with-openssl=/opt/bind916/openssl --with-maxminddb=/opt/bind916/maxminddb
make
<...snip...>
gcc -std=gnu99 -g -O2 -pthread -fPIC -Wl,--export-dynamic -o resolve \
resolve.o ../irs/libirs.a ../dns/libdns.a -L/opt/bind916/maxminddb/lib ../isccfg/libisccfg.a ../isc/libisc.a -L/opt/bind916/openssl/lib -lcrypto -lxml2 -lz -L/opt/bind916/libuv/lib -luv -ldl -ldl
../dns/libdns.a(geoip2.o): In function `get_entry_for':
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:96: undefined reference to `MMDB_lookup_sockaddr'
../dns/libdns.a(geoip2.o): In function `dns_geoip_match':
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:368: undefined reference to `MMDB_get_value'
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:345: undefined reference to `MMDB_get_value'
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:328: undefined reference to `MMDB_get_value'
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:304: undefined reference to `MMDB_get_value'
/opt/work3/bind-9.16.10/lib/dns/geoip2.c:296: undefined reference to `MMDB_get_value'
collect2: error: ld returned 1 exit status
make[2]: *** [resolve] Error 1
make[2]: Leaving directory `/opt/work3/bind-9.16.10/lib/samples'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/opt/work3/bind-9.16.10/lib'
make: *** [subdirs] Error 1
```January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/2359missing newlines in log messages dnssec-signzone/dnssec-verify2021-01-08T11:40:29ZMark Andrewsmissing newlines in log messages dnssec-signzone/dnssec-verifyChange 664b8f04f5f2322086138f5eda5899a62bcc019b needs to be reimplemented. The newlines need to be added by report not the caller to ensure that named's logs don't have spurious new lines. Perhaps use flockfile/funlockfile to prevent l...Change 664b8f04f5f2322086138f5eda5899a62bcc019b needs to be reimplemented. The newlines need to be added by report not the caller to ensure that named's logs don't have spurious new lines. Perhaps use flockfile/funlockfile to prevent log messages being mangled.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/182Update GeoIP support to new API (GeoLite2 from Maxmind)2021-01-08T09:46:56ZVicky Riskvicky@isc.orgUpdate GeoIP support to new API (GeoLite2 from Maxmind)### Description
Maxmind is discontinuing support for the version of their GeoIP db that is supported currently by BIND.
'At the beginning of April, 2018, we will cease updating the GeoLite Legacy downloadable databases. We will also ...### Description
Maxmind is discontinuing support for the version of their GeoIP db that is supported currently by BIND.
'At the beginning of April, 2018, we will cease updating the GeoLite Legacy downloadable databases. We will also disable free downloads of GeoLite Legacy databases from the geoipupdate program on that date.'
### Request
Please update the GeoIP support in BIND to work with the new API/schema. I did check their website and they are still providing a free community edition of the db, but the schema is new. (https://dev.maxmind.com/geoip/geoip2/geolite2/)
Excerpt from an email from a user:
Simple example for Australia and New Zealand that we use:
```
acl "ANZ" {
geoip country NZ;
geoip country AU;
};
view "ANZ" {
match-clients { key anzkey; !all_keys; ANZ; };
allow-notify { key anzkey; };
allow-transfer { key anzkey; };
server 192.999.888.77 { keys anzkey; };
zone "geo.xxx.com" {
type slave;
notify no;
file "/usr/local/etc/namedb/geo/ANZ.xxx";
masters { 127.0.0.1; };
};
zone "geo.yyy.com" {
type slave;
notify no;
file "/usr/local/etc/namedb/geo/ANZ.yyy";
masters { 127.0.0.1; };
};
};
```
We use GeoIP commercial database, so we rely on it, and it realy works. :)
It has the same schema but more data than free. The point is that MaxMind changed the schema and API for GeoIP2/GeoLite2,
so old function calls will not work with new shared libraries, so developers have to change headers and function calls.
Bind911 uses headers at lib/dns/geoip.c:
```
#include <GeoIP.h>
#include <GeoIPCity.h>
```
and calls like:
```
GeoIP_country_code_by*
GeoIP_country_name_by*
```
New maxmind libraries called "libmaxminddb" is replacement of old "GeoIP" shared libraries with new API:
headers:
```
#include <maxminddb.h>
```
Functions and data structures begin from MMDB_*.
Examples:
```
MMDB_lookup_string(&mmdb, ip_address, &gai_error, &mmdb_error);
MMDB_get_entry_data_list(&result.entry, &entry_data_list);
MMDB_dump_entry_data_list(stdout, entry_data_list, 2);
```
So, the API has changed dramaticaly.
### Links / references
MaxMind supported APIS: https://dev.maxmind.com/geoip/geoip2/downloadable/
## Notes
This new feature will be backported as to old release and the old GeoIP support will have to stay (`--with-geoip`). The two options will be mutually exclusive though. In the development branch, we will remove support for old GeoIP and only the new one will stay. Internally, the configuration should stay the same (even though this will require changes from the administrator anyway to put the new databases into their respective places).BIND 9.15.2Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2379asynchronous hooks could assert2021-01-08T09:32:43ZEvan Huntasynchronous hooks could assert@jtatuya submitted an MR (!4491) correcting a possible assertion failure in asynchronous hooks due the fetchhandle being detached at the wrong time.@jtatuya submitted an MR (!4491) correcting a possible assertion failure in asynchronous hooks due the fetchhandle being detached at the wrong time.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/2341Removing 'auto-dnssec' does not turn off DNSSEC maintenance2021-01-07T21:37:35ZMatthijs Mekkingmatthijs@isc.orgRemoving 'auto-dnssec' does not turn off DNSSEC maintenanceIf you reconfigure a zone and remove the `auto-dnssec` option, the zone is actually still DNSSEC maintained. This is because in `zoneconf.c` there is no call to `dns_zone_setkeyopt()` to turn off the flags. If the configuration option is...If you reconfigure a zone and remove the `auto-dnssec` option, the zone is actually still DNSSEC maintained. This is because in `zoneconf.c` there is no call to `dns_zone_setkeyopt()` to turn off the flags. If the configuration option is not used `cfg_map_get(zoptions, "auto-dnssec", &obj)` will return an error.
(this is fixed in d72ad7c530bb3f0860bc0d47c075368cbd3fcc44 as part of #1750)January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/1942[v9_11] TCP performance on FreeBSD much lower than on Linux2021-01-07T21:03:15ZMichal Nowak[v9_11] TCP performance on FreeBSD much lower than on LinuxBIND 9.11.20 and 9.11.19 (and probably older versions too) on a FreeBSD 12.1 (in a VM) has about a half of TCP query performance of Linux.
The [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) executes...BIND 9.11.20 and 9.11.19 (and probably older versions too) on a FreeBSD 12.1 (in a VM) has about a half of TCP query performance of Linux.
The [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) executes four instances of Flamethrower: UDP IPv6, UDP IPv4, TCP IPv6, and TCP IPv4. Knowing that each TCP Flamethrower runs with 30 concurrent generators, each sending 100 queries every 1000 ms we can calculate number of expected TCP queries processed by BIND. If at least 90 % of this target is processed, the test is considered pass.
This test does pass on Linux (Fedora 32) but fails on FreeBSD 12.1. Some difference can be accounted to difference between these two environments as the former is a bare metal, the latter a KVM VM. (But still this test passes on 9.16.3 on FreeBSD 12.1.)
**9.16.3: Stress test (FreeBSD 12.1 / recursive / 1 hour)**
```
INFO: Recursive server 'ns3' received 21066269 TCP queries
INFO: About 21600000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 19440000
INFO: BIND processed enough TCP queries
```
**9.11.20: Stress test (Fedora 32 / recursive / 1 hour)**
```
INFO: Recursive server 'ns3' received 21257316 TCP queries
INFO: About 21600000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 19440000
INFO: BIND processed enough TCP queries
```
**9.11.20: Stress test (FreeBSD 12.1 / recursive / 12 hour)**
```
INFO: Recursive server 'ns3' received 136973904 TCP queries
INFO: About 259200000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 233280000
ERROR: BIND did not process enough TCP queries
```
This is similar but believed to be different to https://gitlab.isc.org/isc-projects/bind9/-/issues/1941.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/2324'key_mutex' undeclared in geoip2.c with threads disabled2021-01-07T20:19:43ZMichal Nowak'key_mutex' undeclared in geoip2.c with threads disabledConfiguring `v9_11` with `--with-geoip2=auto` and `--disable-threads` fails the build of `geoip2.c`:
```
libtool: compile: gcc -I/home/newman/isc/ws/bind9 -I../.. -I. -I../../lib/dns -Iinclude -I/home/newman/isc/ws/bind9/lib/dns/include...Configuring `v9_11` with `--with-geoip2=auto` and `--disable-threads` fails the build of `geoip2.c`:
```
libtool: compile: gcc -I/home/newman/isc/ws/bind9 -I../.. -I. -I../../lib/dns -Iinclude -I/home/newman/isc/ws/bind9/lib/dns/include -I../../lib/dns/include -I/home/newman/isc/ws/bind9/lib/isc/include -I../../lib/isc -I../../lib/isc/include -I../../lib/isc/unix/include -I../../lib/isc/nothreads/include -I../../lib/isc/x86_32/include -I/usr/include -DUSE_MD5 -DOPENSSL -DGSSAPI -DUSE_ISC_SPNEGO -DISC_LIST_CHECKINIT=1 -D_GNU_SOURCE -g -O2 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -Wshadow -Werror -c geoip2.c -fPIC -DPIC -o .libs/geoip2.o
In file included from /home/newman/isc/ws/bind9/lib/isc/include/isc/assertions.h:19,
from /home/newman/isc/ws/bind9/lib/isc/include/isc/list.h:15,
from /home/newman/isc/ws/bind9/lib/isc/include/isc/types.h:33,
from /home/newman/isc/ws/bind9/lib/isc/include/isc/result.h:19,
from ../../lib/isc/nothreads/include/isc/mutex.h:15,
from /home/newman/isc/ws/bind9/lib/isc/include/isc/mem.h:22,
from geoip2.c:25:
geoip2.c: In function ‘set_state’:
geoip2.c:195:9: error: ‘key_mutex’ undeclared (first use in this function)
195 | LOCK(&key_mutex);
| ^~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/likely.h:23:52: note: in definition of macro ‘ISC_LIKELY’
23 | #define ISC_LIKELY(x) __builtin_expect((x), 1)
| ^
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:315:30: note: in expansion of macro ‘ISC_ERROR_RUNTIMECHECK’
315 | #define RUNTIME_CHECK(cond) ISC_ERROR_RUNTIMECHECK(cond)
| ^~~~~~~~~~~~~~~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:100:2: note: in expansion of macro ‘RUNTIME_CHECK’
100 | RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
| ^~~~~~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:100:16: note: in expansion of macro ‘isc_mutex_lock’
100 | RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
| ^~~~~~~~~~~~~~
geoip2.c:195:3: note: in expansion of macro ‘LOCK’
195 | LOCK(&key_mutex);
| ^~~~
geoip2.c:195:9: note: each undeclared identifier is reported only once for each function it appears in
195 | LOCK(&key_mutex);
| ^~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/likely.h:23:52: note: in definition of macro ‘ISC_LIKELY’
23 | #define ISC_LIKELY(x) __builtin_expect((x), 1)
| ^
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:315:30: note: in expansion of macro ‘ISC_ERROR_RUNTIMECHECK’
315 | #define RUNTIME_CHECK(cond) ISC_ERROR_RUNTIMECHECK(cond)
| ^~~~~~~~~~~~~~~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:100:2: note: in expansion of macro ‘RUNTIME_CHECK’
100 | RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
| ^~~~~~~~~~~~~
/home/newman/isc/ws/bind9/lib/isc/include/isc/util.h:100:16: note: in expansion of macro ‘isc_mutex_lock’
100 | RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
| ^~~~~~~~~~~~~~
geoip2.c:195:3: note: in expansion of macro ‘LOCK’
195 | LOCK(&key_mutex);
| ^~~~
make[2]: *** [Makefile:346: geoip2.lo] Error 1
```
@marka this blocks https://gitlab.isc.org/isc-projects/bind9/-/issues/2323.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/dhcp/-/issues/159Providing kea-msg-compiler in prebuilt packages to allow external hook develo...2021-01-07T20:00:22ZBaptisteProviding kea-msg-compiler in prebuilt packages to allow external hook developmentI'm looking at adding CI to https://github.com/zorun/kea-hook-runscript
I would like to use your packages on Cloudsmith https://cloudsmith.io/~isc/repos/ to avoid building Kea every time.
Unfortunately, you don't ship `kea-msg-compiler...I'm looking at adding CI to https://github.com/zorun/kea-hook-runscript
I would like to use your packages on Cloudsmith https://cloudsmith.io/~isc/repos/ to avoid building Kea every time.
Unfortunately, you don't ship `kea-msg-compiler` in any package, and it's needed to build hooks.
The best package to include it would probably be `isc-kea-dev`.
Thanks!https://gitlab.isc.org/isc-projects/kea/-/issues/1636small fixes from RBAC prototype2021-01-07T15:16:32ZFrancis Dupontsmall fixes from RBAC prototype#1263 and #1619 include small fixes which should be merged.#1263 and #1619 include small fixes which should be merged.kea1.9.4Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2361The additional system test fails on system:gcc:mutexatomics2021-01-07T13:38:37ZMatthijs Mekkingmatthijs@isc.orgThe additional system test fails on system:gcc:mutexatomicshttps://gitlab.isc.org/isc-projects/bind9/-/jobs/1377090https://gitlab.isc.org/isc-projects/bind9/-/jobs/1377090January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/1978Cross-compilation doesn’t work in 9.172021-01-07T02:49:43ZOndřej SurýCross-compilation doesn’t work in 9.17The `gen` and `cfg_gen` miss the `BUILD` specification, it’s build with `HOST` cc.The `gen` and `cfg_gen` miss the `BUILD` specification, it’s build with `HOST` cc.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2369refresh: failure trying master2021-01-06T18:08:18ZErdődi Zoltánrefresh: failure trying masterhttps://kb.isc.org/docs/aa-01213
"If you have encountered this error and wish to submit a report, you can use our online form."
I also encountered the same error message with an incorrect mtu setting.https://kb.isc.org/docs/aa-01213
"If you have encountered this error and wish to submit a report, you can use our online form."
I also encountered the same error message with an incorrect mtu setting.https://gitlab.isc.org/isc-projects/kea/-/issues/1519Jenkins does not report crashes2021-01-06T13:29:16ZFrancis DupontJenkins does not report crashesI am afraid that the way Jenkins analyzes unit test reports misses some crashes. This ticket is about fixing this, for instance adding a message at the end of the main function of unit tests.
It is clearly a QA matter as another solutio...I am afraid that the way Jenkins analyzes unit test reports misses some crashes. This ticket is about fixing this, for instance adding a message at the end of the main function of unit tests.
It is clearly a QA matter as another solution is to use a better analyzer script...kea1.9.4Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2378"invalid response" errors found in named.run log2021-01-06T09:35:20Zken tong"invalid response" errors found in named.run logThe version of bind is BIND 9.10.5-P3 <id:7d5676f>
One day, I found that the size of named.run is increasing very quickly. And a lot of "invalid response" entries were spotted in the log. Details is as follows (I replace the sensitive in...The version of bind is BIND 9.10.5-P3 <id:7d5676f>
One day, I found that the size of named.run is increasing very quickly. And a lot of "invalid response" entries were spotted in the log. Details is as follows (I replace the sensitive info with <xxx> )
DNS format error from <IP>#53 resolving <XXXX>.bf.bf.node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org/AAAA for client 169.254.4.50#51099: Name epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org (SOA) not subdomain of zone node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org -- invalid response
The response related to the above log is as follows:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50664
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;<XXXX>.bf.bf.node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org. IN AAAA
;; AUTHORITY SECTION:
;epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org. 86400 IN SOA <SERVER>.mnc<AAA>.mcc<BBB>.gprs. dns-admin. (
; 2020122704 ; serial
; 10800 ; refresh (3 hours)
; 3600 ; retry (1 hour)
; 604800 ; expire (1 week)
; 86400 ; minimum (1 day)
; )
Normally, the FQDN should be cached as a NXRRSET record as follows:
<XXXX>.bf.bf.node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org. 8412 \-AAAA ;-$NXRRSET
But when the issue happens, it cannot be cached, I guess it's related to the "invalid response" log.
From the error log, it mentions "zone node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org", but I'm wondering where the zone "node.epc.mnc<AAA>.mcc<BBB>.3gppnetwork.org" comes from? I cannot found the related SOA record in the dump file.https://gitlab.isc.org/isc-projects/bind9/-/issues/2356no dnstap messages with unix socket2021-01-06T06:37:23ZDenis MACHARDno dnstap messages with unix socket### Summary
Hello, I try to use the dnstap feature but no dnstap messages are generated with a unix socket.
if a use the dnstap-output file then dnstap messages are generated.
### BIND version used
Bind 9.16 on CentOS8 - https://copr....### Summary
Hello, I try to use the dnstap feature but no dnstap messages are generated with a unix socket.
if a use the dnstap-output file then dnstap messages are generated.
### BIND version used
Bind 9.16 on CentOS8 - https://copr.fedorainfracloud.org/coprs/isc/bind/
/opt/isc/isc-bind/root/usr/sbin/named -v
BIND 9.16.10 (Stable Release) <id:fac8def>
I have also tested with bind 9.11 and it's work fine so I don't know what i'm doing wrong.
### Steps to reproduce
install the dnstap receiver and start-it in unix mode
```
python3 -m pip install dnstap_receiver
su - named -s /bin/bash -c "dnstap_receiver -u /var/opt/isc/scls/isc-bind/named/data/dnstap.out -v"
```
Configure named with dnstap and restart-it
```
options {
directory "/var/opt/isc/scls/isc-bind/named/data";
listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };
dnssec-validation auto;
dnstap-identity "bind";
dnstap-version "xxx";
dnstap-output unix "dnstap.out";
dnstap { all; };
}
```
When I make a "dig", no dnstap messages are received, nothing happened. I have also tested with the dnstap in go and it's the same thing.Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2363update rejected: post update name server sanity check failed2021-01-05T15:17:54Ztpickle-pyupdate rejected: post update name server sanity check failed
### Summary
When creating subed subdomain txt records for certbot changellenges, nsupdate utility fails to update record.
### BIND version used
```
BIND 9.11.20-RedHat-9.11.20-5.el8 (Extended Support Version) <id:f3d1d66>
running on ...
### Summary
When creating subed subdomain txt records for certbot changellenges, nsupdate utility fails to update record.
### BIND version used
```
BIND 9.11.20-RedHat-9.11.20-5.el8 (Extended Support Version) <id:f3d1d66>
running on Linux x86_64 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.2.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
```
nsupdate -y hmac-sha512:**letsencrypt.***:**privatekey**
> server 212.x.x.63
> update add _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk 3600 txt "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
> send
update failed: REFUSED
```
### What is the current *bug* behavior?
Throws error in logs and says REFUSED
```
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: signer "letsencrypt" approved
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': adding an RR at '_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk' TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
Dec 24 21:55:35 ns2 named[2865777]: client @0x7f44980e2d90 154.x.x.122#52119/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': update rejected: post update name server sanity check failed
```
### What is the expected *correct* behavior?
```
Dec 24 21:01:21 ns2 named[2865777]: client @0x7f449aefe0d0 154.x.x.122#40284/key letsencrypt: view external: updating zone 'ip6tunnel.tk/IN': adding an RR at '_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk' TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyo>
```
### Relevant configuration files
Configs are working for nsupdate for shorter (sub)domain names, no policies are being enforected
### Relevant logs and/or screenshots
```
[root@ddns ~]# dig -t txt _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> -t txt _acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34443
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.test.ddns.flex-sys.us.ip6tunnel.tk. IN TXT
;; AUTHORITY SECTION:
ip6tunnel.tk. 1799 IN SOA ns1.ddns.flex-sys.us. admin.flex-sys.us.ip6tunnel.tk. 2020122435 3600 600 1209600 3600
;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 24 21:02:58 EST 2020
;; MSG SIZE rcvd: 141
```
Wildcard exists
```
[root@ddns ~]# dig -t txt _acme-challenge.*.ip6tunnel.tk
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> -t txt _acme-challenge.*.ip6tunnel.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46582
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.*.ip6tunnel.tk. IN TXT
;; ANSWER SECTION:
_acme-challenge.*.ip6tunnel.tk. 119 IN TXT "8YVbEhYivK2XhImgfDEvNOEv9gs5MKpfOLYUjwgyoXM"
```
### Possible fixes
No fixes tried, tried to use wild cards for long subdomains, however it will not resolve specifiedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/925delv does not honor the operating system's preferred ephemeral port range2021-01-05T11:12:52ZMichał Kępieńdelv does not honor the operating system's preferred ephemeral port rangeApparently `delv` suffers from the same problem as `nsupdate` (see #905), but it causes test failures less often because it is not as frequently used throughout the system test suite as `nsupdate` is. See https://gitlab.isc.org/isc-proj...Apparently `delv` suffers from the same problem as `nsupdate` (see #905), but it causes test failures less often because it is not as frequently used throughout the system test suite as `nsupdate` is. See https://gitlab.isc.org/isc-projects/bind9/-/jobs/189334 for an example failure.Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/905nsupdate does not honor the operating system's preferred ephemeral port range2021-01-05T11:12:50ZMichał Kępieńnsupdate does not honor the operating system's preferred ephemeral port rangeWhile it is a bug in and of itself, IMHO the most compelling reason to fix this problem is that it is causing rare system test failures.
`nsupdate` may pick a source port number which clashes with a port number assigned to some `named` ...While it is a bug in and of itself, IMHO the most compelling reason to fix this problem is that it is causing rare system test failures.
`nsupdate` may pick a source port number which clashes with a port number assigned to some `named` instance for listening. This does not trigger an error upon `bind()` because both `nsupdate` and `named` set `SO_REUSEADDR` for the relevant sockets. The end result is that `nsupdate` is unable to receive any responses to its queries and thus indicates a timeout.
Another possible symptom of this bug is a `named` instance refusing to start with an "address already in use" error - which is what happens if it tries to `bind()` to its configured listening port when some `nsupdate` process is already bound to that same port (as its source port).Michał KępieńMichał Kępień