ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2024-03-28T14:11:11Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4459[CVE-2023-50868] Preparing an NSEC3 closest encloser proof can exhaust CPU re...2024-03-28T14:11:11ZPetr Špačekpspacek@isc.org[CVE-2023-50868] Preparing an NSEC3 closest encloser proof can exhaust CPU resources| Quick Links | :link: |
| ------------------------ | ------------------------------------------------------------------------------ |
| Incident Manage...| Quick Links | :link: |
| ------------------------ | ------------------------------------------------------------------------------ |
| Incident Manager: | @pspacek |
| Deputy Incident Manager: | @ebf |
| Public Disclosure Date: | 2024-02-13 |
| CVSS Score: | [7.5][cvss_score] |
| Security Advisory: | isc-private/printing-press!93 |
| Mattermost Channel: | [CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU][mattermost_url] |
| Support Ticket: | N/A |
| Release Checklist: | #4555 |
[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
[mattermost_url]: https://mattermost.isc.org/isc/channels/cve-2023-50868-nsec3-closest-encloser-proof-can-exhaust-cpu
:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
### Earlier Than T-5
- [x] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager
- :no_entry_sign: [:link:][step_respond] **(IM)** Respond to the bug reporter - found internally by @pspacek
- [x] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
- [x] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier
- [x] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier and the CVSS score
- [x] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
- [x] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist
- [x] [:link:][step_coordinate] **(SwEng)** :warning: Coordinate with other parties :warning:
- [x] [:link:][step_earliest_prepare] **(Support)** ~~Prepare "earliest" notification text and hand it off to Marketing~~
- [x] [:link:][step_earliest_send] **(Marketing)** ~~Update "earliest" notification document in SF portal and send bulk email to earliest customers~~
- [x] [:link:][step_advisory_mr] **(Support)** [Create a merge request for the Security Advisory and include all readily available information in it](isc-private/printing-press!93)
- [x] [:link:][step_reproducer_mr] **(SwEng)** ~~[Prepare a private merge request containing a system test reproducing the problem](#note_434474)~~
- [x] [:link:][step_notify_support] **(SwEng)** ~~Notify Support when a reproducer is ready~~
- [x] [:link:][step_code_analysis] **(SwEng)** [Prepare a detailed explanation of the code flow triggering the problem](#note_434480)
- [x] [:link:][step_fix_mr] **(SwEng)** ~~[Prepare a private merge request with the fix](#note_434483)~~
- [x] [:link:][step_review_fix] **(SwEng)** ~~[Ensure the merge request with the fix is reviewed and has no outstanding discussions](#note_434483)~~
- [x] [:link:][step_review_docs] **(Support)** ~~[Review the documentation changes introduced by the merge request with the fix](#note_434483)~~
- [x] [:link:][step_backports] **(SwEng)** ~~[Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product](#note_434483)~~
- [x] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory
- [x] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- [x] [:link:][step_changes] **(QA)** (BIND 9 only) Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
- [x] [:link:][step_merge_fixes] **(QA)** ~~[Merge the CVE fixes in CVE identifier order](#note_434483)~~
- [x] [:link:][step_patches] **(QA)** ~~[Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch](#note_434483)~~
- [x] [:link:][step_asn_releases] **(QA)** Prepare ASN releases (as outlined in the Release Checklist)
### At T-5
- [x] [:link:][step_asn_documents] **(Marketing)** Update the text on the T-5 (from the Printing Press project) and "earliest" ASN documents in the SF portal
- [x] [:link:][step_asn_links] **(Marketing)** (BIND 9 only) Update the BIND -S information document in SF with download links to the new versions
- [x] [:link:][step_asn_send] **(Marketing)** Bulk email eligible customers to check the SF portal
- [x] [:link:][step_preannouncement] **(Marketing)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
### At T-1
- [x] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers
### On the Day of Public Disclosure
- [x] [:link:][step_clearance] **(IM)** [Grant QA & Marketing clearance to proceed with public release](https://mattermost.isc.org/isc/pl/rxzn1b4upbnjxrbq75dqx1m96o)
- [x] [:link:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
- [x] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
- [x] [:link:][step_publish_advisory] **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base
- [x] [:link:][step_notifications] **(First IM)** Send notification emails to third parties
- [x] [:link:][step_mitre] **(First IM)** ~~[Advise MITRE about the disclosed CVEs](#note_436522)~~
- [x] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request
- [x] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete
- [x] [:link:][step_asn_clear] **(Marketing)** Update the SF portal to clear the ASN
- [x] [:link:][step_customers] **(Marketing)** Email ASN recipients that the embargo is lifted
### After Public Disclosure
- [x] [:link:][step_regression] **(QA)** ~~[Merge a regression test reproducing the bug into all affected (and still maintained) branches](#note_434474)~~
[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
[step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
[step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
[step_assign_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier
[step_note_cve_info]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-and-the-cvss-score
[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
[step_workarounds]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
[step_coordinate]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties
[step_earliest_prepare]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-earliest-notification-text-and-hand-it-off-to-marketing
[step_earliest_send]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-earliest-notification-document-in-sf-portal-and-send-bulk-email-to-earliest-customers
[step_advisory_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
[step_reproducer_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
[step_notify_support]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
[step_code_analysis]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem
[step_fix_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix
[step_review_fix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions
[step_review_docs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix
[step_backports]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product
[step_finish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory
[step_meta_issue]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle
[step_changes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-reserve-a-block-of-changes-placeholders-once-the-complete-set-of-vulnerabilities-fixed-in-a-given-release-cycle-is-determined
[step_merge_fixes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
[step_patches]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
[step_asn_releases]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
[step_asn_documents]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-text-on-the-t-5-from-the-printing-press-project-and-earliest-asn-documents-in-the-sf-portal
[step_asn_links]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-the-bind-s-information-document-in-sf-with-download-links-to-the-new-versions
[step_asn_send]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bulk-email-eligible-customers-to-check-the-sf-portal
[step_preannouncement]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
[step_packager_emails]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
[step_clearance]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-qa-marketing-clearance-to-proceed-with-public-release
[step_publish]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
[step_matrix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base
[step_publish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base
[step_notifications]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties
[step_mitre]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
[step_merge_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
[step_embargo_end]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
[step_asn_clear]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-sf-portal-to-clear-the-asn
[step_customers]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#email-asn-recipients-that-the-embargo-is-lifted
[step_regression]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches
### Reproducer
1. Sign an empty zone with NSEC3, 150 iterations, and same NSEC3 salt for a good measure:
- [local.testiscorg.ch.zone](/uploads/b4a147bdabff809350e0a7a7b802758e/local.testiscorg.ch.zone)
- [Klocal.testiscorg.ch.+014+01043.key](/uploads/27aa1a99ac52e271ae1bf618c7fc4138/Klocal.testiscorg.ch.+014+01043.key)
- [Klocal.testiscorg.ch.+014+01043.private](/uploads/346295e7f71ed644dd44bb93e52ea531/Klocal.testiscorg.ch.+014+01043.private)
- `dnssec-signzone -u -3 0122345678912345 -H 150 -e 20380101000000 -S -o local.testiscorg.ch -O full -z local.testiscorg.ch.zone Klocal.testiscorg.ch.+014+01043`
- :point_right_tone1: [local.testiscorg.ch.zone.signed](/uploads/ba12811b13cc749084b6c1cef0c3a04a/local.testiscorg.ch.zone.signed)
2. Run an auth with the zone:
- [auth.conf](/uploads/51139fed8b8efe23eb58b82ce4b82379/auth.conf)
- `named -g -c auth.conf`
3. Run a resolver with the zone:
- [resolver.conf](/uploads/2b9a661105397636c55f9c5be13d8855/resolver.conf)
- `named -g -c resolver.conf`
4. Run attack using dnsperf:
- [randlabels.py](/uploads/30b54afbe090da16c06855f5561755df/randlabels.py)
- `python randlabels.py | dnsperf -s 127.0.0.1 -S1`
### Observed behavior
Around 200 QPS, one CPU maxed out. Tweaking dnsperf params can max out all CPUs with ~ 200 queries per core.
### Problem
For NSEC3 we have to hash all the labels between QNAME and zone name to find out a matching NSEC3 RR in authority section. This inflates number of hashes to potentially ~ `127 labels * <NSEC3 iterations> * <number of NSEC3 RRs in the message>`.
We have to cap this somehow. Coordination with other vendors is needed because BIND, Unbound, Knot Resolver, and PowerDNS in current versions are affected. This seems like a protocol issue so other vendors are most likely also affected, see the NSEC3 algorithm here: https://datatracker.ietf.org/doc/html/rfc5155#section-8.3February 2024 (9.16.47/9.16.48, 9.16.47/9.16.48-S1, 9.18.23/9.18.24, 9.18.23/9.18.24-S1, 9.19.21)https://gitlab.isc.org/isc-projects/bind9/-/issues/4458dnssec auto fails across multiple views + unable to add/remove DS records fro...2023-12-04T05:39:28ZTom Shawdnssec auto fails across multiple views + unable to add/remove DS records from second view + invalid DS records### Summary
- When using multiple views, the affected views fail to manage dnssec properly
- When using dnssec to auto sign zones, across multiple views, all but one of the views will fail to add DS records through nsupdate.
- The view ...### Summary
- When using multiple views, the affected views fail to manage dnssec properly
- When using dnssec to auto sign zones, across multiple views, all but one of the views will fail to add DS records through nsupdate.
- The view fails to manage and purge old key/state/private files and these start to build up over time
- Unable to get DS records, publish CDS log entries stop appearing for the view
### BIND version used
BIND 9.18.20-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu
### Steps to reproduce
Create a config which has two views, with the same domain in each view. One of the views must only be available to an internal ip range (internal), the other must be available from all (external). Enable dnssec on both domains in both views using separate policies.
### What is the current *bug* behavior?
- keys in the internal view will not be managed correctly and will build up over time
- nsupdate will appear to add/delete the DS records correctly but these are not added or deleted in bind.
### What is the expected *correct* behavior?
- keys in both views should be managed correctly
- nsupdate should be able to manipulate the DS records in the internal view
### Relevant configuration files
I will share my configs privately if possible
Use this yearly internal policy for TDL level domains
```
dnssec-policy "yearly-internal" {
keys {
ksk lifetime P365D algorithm ECDSAP384SHA384;
zsk lifetime P1D algorithm ECDSAP384SHA384;
};
//
dnskey-ttl PT5M;
publish-safety PT3M;
retire-safety PT5M;
purge-keys PT10M;
// Signature timings
signatures-refresh PT5M;
signatures-validity PT10M;
signatures-validity-dnskey PT10M;
//
max-zone-ttl PT5M;
parent-ds-ttl PT3M;
parent-propagation-delay PT3M;
nsec3param iterations 10 optout no salt-length 16;
};
Use this aggressive standard internal policy for sub domains
dnssec-policy "standard" {
keys {
ksk lifetime PT40M algorithm ECDSAP384SHA384;
zsk lifetime PT20M algorithm ECDSAP384SHA384;
};
//
dnskey-ttl 60;
publish-safety PT2M;
retire-safety PT2M;
purge-keys PT10M;
// Signature timings
signatures-refresh PT5M;
signatures-validity PT10M;
signatures-validity-dnskey PT10M;
//
max-zone-ttl 300;
parent-ds-ttl 60;
parent-propagation-delay 60;
nsec3param iterations 10 optout no salt-length 16;
};
options {
check-names master ignore;
check-names slave ignore;
check-names response ignore;
masterfile-format text;
listen-on-v6 { none; };
listen-on port 53 { 127.0.0.1; 165.227.238.11; 10.0.254.1; 10.0.254.2; };
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
querylog yes;
pid-file "/var/run/named/named.pid";
include "/etc/bind/named.options.transfer.conf";
# if running a natted server, set the public ip address here
# this will not work in a multihomed box (specifically linode fails)
# notify the NS servers - only on master
notify yes;
# some dnssec stuff
include "/etc/bind/named.options.dnssec.conf";
max-cache-size 10485760;
};
```
Zone file
```
#ns1.node.flipkick.media
zone "entitywind.dev" {
key-directory "/var/cache/bind/keys/internals-master";
file "internals.master.dev.entitywind.db";
update-policy {
grant 127.0.0.1 subdomain entitywind.dev;
grant internal subdomain entitywind.dev;
grant internal zonesub any;
grant internal-externaldns subdomain entitywind.dev;
grant internal-externaldns zonesub any;
grant internal-rndc-key subdomain entitywind.dev;
grant internal-rndc-key zonesub any;
};
include "/etc/bind/named.zone.internals-master.conf";
include "/etc/bind/named.zone.dnssec.policy.yearly-internal.conf";
parental-agents { "externals"; };
};
#ns1.node.flipkick.media
zone "node.entitywind.dev" {
key-directory "/var/cache/bind/keys/internals-master";
file "internals.master.dev.entitywind.db";
update-policy {
grant 127.0.0.1 subdomain entitywind.dev;
grant internal subdomain entitywind.dev;
grant internal zonesub any;
grant internal-externaldns subdomain entitywind.dev;
grant internal-externaldns zonesub any;
grant internal-rndc-key subdomain entitywind.dev;
grant internal-rndc-key zonesub any;
};
include "/etc/bind/named.zone.internals-master.conf";
include "/etc/bind/named.zone.dnssec.policy.yearly-internal.conf";
parental-agents { "externals"; };
};
```
### Relevant logs and/or screenshots
```
28-Nov-2023 12:58:02.305 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/25339 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/53449 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/43625 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/26195 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/33520 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/26171 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/37281 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/7041 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/63692 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/9156 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/29571 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/44364 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/44662 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/40817 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/22890 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/64449 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/39830 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/30931 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/57355 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/23733 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/25059 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/20634 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/2754 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/19617 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/61960 (KSK) is now inactive
```
### Possible fixes
Run two bind servers and attach to differing ipshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4453Switching to a different dnssec-policy broke my zone.2024-02-24T07:54:16ZBjörn PerssonSwitching to a different dnssec-policy broke my zone.### Summary
My zone was previously signed with a KSK and a ZSK with unlimited lifetime. I switched the zone over to a dnssec-policy using CSKs and automatic key rotation. After the DS record was updated, most of the RRSIG records were r...### Summary
My zone was previously signed with a KSK and a ZSK with unlimited lifetime. I switched the zone over to a dnssec-policy using CSKs and automatic key rotation. After the DS record was updated, most of the RRSIG records were removed, leaving the zone broken to validating resolvers.
### BIND version used
```
# named -V
BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
running on Linux x86_64 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.19=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.10 1 Aug 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
I have two zones that both exist in an external and an internal view. Each zone was previously signed with a KSK and a ZSK with unlimited lifetime. To proceed cautiously with the change to `dnssec-policy` I defined one policy that matched the existing keys and another that would use CSKs and automatic key rotation:
```
dnssec-policy "as_it_was" {
keys {
ksk lifetime unlimited algorithm rsasha256 2048;
zsk lifetime unlimited algorithm rsasha256 2048;
};
dnskey-ttl P1D;
purge-keys 0;
};
dnssec-policy "automation" {
keys {
csk lifetime P1M algorithm rsasha256 2048;
};
dnskey-ttl P1D;
max-zone-ttl P1D;
signatures-validity P1W;
signatures-refresh P2D;
};
```
First I switched the zones from "`auto-dnssec maintain;`" to "`dnssec-policy as_it_was;`". Bind continued using the existing keys. Once I had the exchange of CDS and DS records working between my zones and the parent zone, I switched one zone over to "`dnssec-policy automation;`" in both views.
The rollover from the old keys to a CSK seemed to go smoothly, but after a while I discovered that the zone was only partially signed in the external view. Several records lacked RRSIG records. Dynamic updates of the unsigned records caused corresponding RRSIG records to appear.
After that initial problem, the following rollover from one CSK to another worked fine, so I proceeded to switch the second zone over to "`dnssec-policy automation;`". This time I took notes and watched for missing signatures.
2023-11-18 16:05:49 a CSK was generated. DNSKEY, CDS and CDNSKEY were signed with both the old KSK and the CSK. SOA got a new signature by the old ZSK. All other records kept their existing signatures.
2023-11-19 17:10:49 CDS and CDNSKEY records for the CSK were published. DNSKEY, CDS and CDNSKEY got new signatures by the KSK and the CSK. SOA was signed with the ZSK and the CSK.
2023-11-20 17:10:49 Bind noticed that DS had been updated in the parent zone.
2023-11-20 18:15:49 the ZSK and all its signatures were removed. DNSKEY, CDS and CDNSKEY got new signatures by the CSK and the KSK. SOA got a new signature by the CSK. All other records were left without RRSIG records.
This time I fixed the external view with "`rndc sign xn--rombobjrn-67a.se IN external`". All the unsigned records were then signed with the CSK. DNSKEY, CDS, CDNSKEY and SOA had their signatures renewed. I left the internal view alone.
2023-11-21 19:10:50 the KSK was removed. DNSKEY, CDS, CDNSKEY and SOA got new signatures by the CSK. At the same time, many but not all other records in the internal view were finally signed with the CSK, having lacked signatures for 24 hours and 55 minutes. Some more records were signed a few minutes later.
As I'm posting this, one NS and one MX record in the internal view are still unsigned after more than four days.
### What is the current *bug* behavior?
The zone becomes only partially signed. Validating resolvers reject the unsigned records.
### What is the expected *correct* behavior?
All records should be signed with the new key before the old keys and signatures are removed.
### Relevant configuration files
See the policies above. After the changes, all the zone declarations look essentially like this:
```
zone "xn--rombobjrn-67a.se" {
type master;
file "/var/lib/bind/db.xn--rombobjrn-67a.se.external";
dnssec-policy automation;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
```
### Relevant logs and/or screenshots
Excerpts from the system log:
```
2023-11-19T17:10:49.436468+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-19T17:10:49.437286+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-19T17:10:49.488666+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-19T17:10:49.489192+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-19T17:10:49.501444+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-19T17:10:49.502076+01:00 cutie named[443161]: CDS (SHA-256) for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.502515+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.502904+01:00 cutie named[443161]: CDS for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.503279+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.530343+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-19T17:10:49.530897+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-19T17:10:49.534298+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-19T17:10:49.534962+01:00 cutie named[443161]: CDS (SHA-256) for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.535337+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.535684+01:00 cutie named[443161]: CDS for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.536038+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.637732+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 19-Nov-2023 18:10:49.432
2023-11-19T17:10:49.638433+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092737)
2023-11-19T17:10:49.651717+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 19-Nov-2023 18:10:49.432
2023-11-19T17:10:49.673263+01:00 cutie named[443161]: client @0x7efdf9b21368 10.1.0.5#54619 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092736 -> 2023092737)
2023-11-19T17:10:49.674244+01:00 cutie named[443161]: client @0x7efdf9b21368 10.1.0.5#54619 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 23 records, 5465 bytes, 0.004 secs (1366250 bytes/sec) (serial 2023092737)
2023-11-19T17:10:50.192637+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.2.1#57043 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092736 -> 2023092737)
2023-11-19T17:10:50.193661+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.2.1#57043 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 23 records, 5465 bytes, 0.001 secs (5465000 bytes/sec) (serial 2023092737)
```
```
2023-11-20T17:10:49.472806+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T17:10:49.473891+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T17:10:49.525113+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.525655+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.529210+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.530341+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:10:49.466
2023-11-20T17:10:49.557565+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.558183+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.561418+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.562620+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:10:49.466
2023-11-20T17:10:49.617384+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/17339 seen published at Mon Nov 20 17:10:49 2023
2023-11-20T17:10:49.621343+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/53584 seen withdrawn at Mon Nov 20 17:10:49 2023
2023-11-20T17:10:49.624985+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T17:10:49.667546+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.668097+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.671602+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.672714+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:15:49.618
2023-11-20T17:10:50.027333+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/17339 seen published at Mon Nov 20 17:10:50 2023
2023-11-20T17:10:50.031352+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/53584 seen withdrawn at Mon Nov 20 17:10:50 2023
2023-11-20T17:10:50.035151+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T17:10:50.077904+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:50.078540+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:50.081828+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:50.083015+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:15:49.030
```
```
2023-11-20T18:15:49.036472+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T18:15:49.076389+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T18:15:49.077010+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T18:15:49.088905+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/13398/RSASHA256 from DNSKEY RRset.
2023-11-20T18:15:49.089406+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK) is now deleted
2023-11-20T18:15:49.089784+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T18:15:49.192756+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:20:49.033
2023-11-20T18:15:49.193416+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092738)
2023-11-20T18:15:49.275467+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#41397 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092737 -> 2023092739)
2023-11-20T18:15:49.278365+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#41397 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 3 messages, 128 records, 38648 bytes, 0.004 secs (9662000 bytes/sec) (serial 2023092739)
2023-11-20T18:15:49.622949+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T18:15:49.664238+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T18:15:49.664712+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T18:15:49.667624+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/13398/RSASHA256 from DNSKEY RRset.
2023-11-20T18:15:49.668019+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK) is now deleted
2023-11-20T18:15:49.668373+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T18:15:49.764336+01:00 cutie named[443161]: client @0x7efdebdc5168 10.1.2.1#58091 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092737 -> 2023092739)
2023-11-20T18:15:49.767341+01:00 cutie named[443161]: client @0x7efdebdc5168 10.1.2.1#58091 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 3 messages, 128 records, 38648 bytes, 0.004 secs (9662000 bytes/sec) (serial 2023092739)
2023-11-20T18:15:49.779256+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:20:49.621
2023-11-20T18:15:54.192437+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092739)
```
```
2023-11-21T13:15:40.402451+01:00 cutie named[443161]: received control channel command 'sign xn--rombobjrn-67a.se IN external'
2023-11-21T13:15:40.405362+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T13:15:40.431241+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T13:15:40.431697+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T13:15:40.433742+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-21T13:15:40.528574+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:10:50.395
2023-11-21T13:15:40.529172+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092740)
2023-11-21T13:15:40.773096+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#33623 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092739 -> 2023092742)
2023-11-21T13:15:40.774513+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#33623 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 46 records, 12419 bytes, 0.004 secs (3104750 bytes/sec) (serial 2023092742)
2023-11-21T13:15:41.172719+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#33203 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092739 -> 2023092745)
2023-11-21T13:15:41.174657+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#33203 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 89 records, 24907 bytes, 0.004 secs (6226750 bytes/sec) (serial 2023092745)
2023-11-21T13:15:45.528370+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092750)
2023-11-21T13:15:45.561710+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#52787 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092742 -> 2023092750)
2023-11-21T13:15:45.564494+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#52787 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 114 records, 31108 bytes, 0.004 secs (7777000 bytes/sec) (serial 2023092750)
2023-11-21T13:15:46.078928+01:00 cutie named[443161]: client @0x7efdfa51bd68 10.1.2.1#60701 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092745 -> 2023092750)
2023-11-21T13:15:46.080874+01:00 cutie named[443161]: client @0x7efdfa51bd68 10.1.2.1#60701 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 71 records, 18769 bytes, 0.001 secs (18769000 bytes/sec) (serial 2023092750)
```
```
2023-11-21T19:10:50.400377+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:10:50.432532+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:10:50.433038+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:10:50.443664+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/53584/RSASHA256 from DNSKEY RRset.
2023-11-21T19:10:50.444123+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now deleted
2023-11-21T19:10:50.511795+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:15:50.396
2023-11-21T19:10:50.512265+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092751)
2023-11-21T19:10:50.576696+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#54307 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092750 -> 2023092752)
2023-11-21T19:10:50.577645+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#54307 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 27 records, 5832 bytes, 0.001 secs (5832000 bytes/sec) (serial 2023092752)
2023-11-21T19:10:50.626991+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:10:50.660686+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:10:50.661150+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:10:50.663077+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/53584/RSASHA256 from DNSKEY RRset.
2023-11-21T19:10:50.663489+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now deleted
2023-11-21T19:10:50.738310+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:15:50.624
2023-11-21T19:10:51.191122+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#43631 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092750 -> 2023092752)
2023-11-21T19:10:51.191859+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#43631 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 27 records, 5832 bytes, 0.001 secs (5832000 bytes/sec) (serial 2023092752)
2023-11-21T19:10:55.511787+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092752)
2023-11-21T19:15:50.404325+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:15:50.427941+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:15:50.428397+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:15:50.440377+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:20:49.398
2023-11-21T19:15:50.630905+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:15:50.656580+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:15:50.657098+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:15:50.659929+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:20:49.626
2023-11-21T19:20:49.405293+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:20:49.429191+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:49.429646+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:49.438021+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:20:50.399
2023-11-21T19:20:49.630959+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:20:49.656677+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:49.657172+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:49.659897+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:20:50.627
2023-11-21T19:20:50.401138+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:20:50.427552+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:50.428010+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:50.434902+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 20:20:50.399
2023-11-21T19:20:50.629148+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:20:50.654607+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:50.655054+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:50.657686+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 20:20:50.627
```
Some possibly useful status data from when the zone lacked signatures:
```
# rndc dnssec -status xn--rombobjrn-67a.se IN external
dnssec-policy: automatik
current time: Tue Nov 21 12:57:26 2023
key: 17339 (RSASHA256), CSK
published: yes - since Sat Nov 18 16:05:49 2023
key signing: yes - since Sat Nov 18 16:05:49 2023
zone signing: yes - since Sat Nov 18 16:05:49 2023
Next rollover scheduled on Mon Dec 18 15:00:49 2023
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- zone rrsig: omnipresent
- key rrsig: omnipresent
key: 13398 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- zone rrsig: unretentive
key: 53584 (RSASHA256), KSK
published: yes - since Sun Nov 3 04:26:07 2019
key signing: yes - since Sun Nov 3 04:26:07 2019
Rollover is due since Sun Nov 19 18:05:49 2023
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
# rndc zonestatus xn--rombobjrn-67a.se IN external
name: xn--rombobjrn-67a.se
type: primary
files: /var/lib/bind/db.xn--rombobjrn-67a.se.external
serial: 2023092739
nodes: 42
last loaded: Tue, 24 Oct 2023 12:43:57 GMT
secure: no
key maintenance: automatic
next key event: Tue, 21 Nov 2023 18:10:50 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
```
The output of `rndc zonestatus` changed when I ran `rndc sign`:
```
# rndc zonestatus xn--rombobjrn-67a.se IN external
name: xn--rombobjrn-67a.se
type: primary
files: /var/lib/bind/db.xn--rombobjrn-67a.se.external
serial: 2023092750
nodes: 42
last loaded: Tue, 24 Oct 2023 12:43:57 GMT
secure: yes
inline signing: no
key maintenance: automatic
next key event: Tue, 21 Nov 2023 18:10:50 GMT
next resign node: 7c2ecd07f155648431e0f94b89247d713c5786e1e73e953f2fe7eca3._openpgpkey.xn--rombobjrn-67a.se/NSEC
next resign time: Wed, 22 Nov 2023 22:55:09 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
```May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4452log more information from pytest assertions in system tests2023-12-05T15:29:43ZTom Krizeklog more information from pytest assertions in system testsSome python system tests contain `assert` expression like
```
assert loaded == expected
```
which provide no useful information in case the check [fails](https://gitlab.isc.org/isc-private/bind9/-/jobs/3820431), e.g.:
```
____________...Some python system tests contain `assert` expression like
```
assert loaded == expected
```
which provide no useful information in case the check [fails](https://gitlab.isc.org/isc-private/bind9/-/jobs/3820431), e.g.:
```
_______________________ test_zone_timers_secondary_json ________________________
[gw1] linux -- Python 3.11.6 /usr/bin/python3
/builds/isc-private/bind9/bin/tests/system/statschannel/tests_json.py:86: in test_zone_timers_secondary_json
generic.test_zone_timers_secondary(
/builds/isc-private/bind9/bin/tests/system/statschannel/generic.py:94: in test_zone_timers_secondary
check_zone_timers(loaded, expires, refresh, mtime)
/builds/isc-private/bind9/bin/tests/system/statschannel/generic.py:49: in check_zone_timers
check_loaded(loaded, loaded_exp, now)
/builds/isc-private/bind9/bin/tests/system/statschannel/generic.py:38: in check_loaded
assert loaded == expected
E AssertionError
```
An informative assert message with the relevant values/data should be added to the assert statements:
```
assert loaded == expected, f"loaded={loaded}, expected={expected}"
```December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Tom KrizekTom Krizekhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4449too long CNAME chains do not elicit SERVFAIL or even log message2023-11-23T15:08:44ZPetr Špačekpspacek@isc.orgtoo long CNAME chains do not elicit SERVFAIL or even log message### Summary
CNAME chain length is currently limited to ~ 16 steps. Chains longer than this limit are cut short, but the RDCODE is still NOERROR. This creates impression that the final hop might be NODATA answer.
Also I can't see any lo...### Summary
CNAME chain length is currently limited to ~ 16 steps. Chains longer than this limit are cut short, but the RDCODE is still NOERROR. This creates impression that the final hop might be NODATA answer.
Also I can't see any log message in logs that resolution was terminated prematurely.
### BIND version used
* ~"Affects v9.19": a819d3644634997a78b162988156e90f409e1ce8
* ~"Affects v9.18": 6817bf1284fe8aea303365d2dd17bc5523e7a41b
* ~"Affects v9.16": 161d69aba357fa830bb6ef2b097b0447929041f0
* ~"Affects v9.11 (EoL)" : v9.11.37-S1
* Other versions were not tested
### Steps to reproduce
* Setup an auth zone with too long CNAME chain:
- [local.zone](/uploads/af4b4f699adb8b3bf87d5cac31b5d33f/local.zone)
- [named.conf](/uploads/2a0c44310bfbe99a2ffe6bbc1b36bacc/named.conf)
Query for it in default resolver config.
### What is the current *bug* behavior?
RCODE=NOERROR despite the incomplete CNAME chain.
```
$ dig c0000.local.testiscorg.ch. A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20544
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 102100bdc30994f717d0d76d655f5b7d3a1f039d04cd3a86 (good)
;; QUESTION SECTION:
;c0000.local.testiscorg.ch. IN A
;; ANSWER SECTION:
c0000.local.testiscorg.ch. 0 IN CNAME c0001.local.testiscorg.ch.
c0001.local.testiscorg.ch. 0 IN CNAME c0002.local.testiscorg.ch.
c0002.local.testiscorg.ch. 0 IN CNAME c0003.local.testiscorg.ch.
c0003.local.testiscorg.ch. 0 IN CNAME c0004.local.testiscorg.ch.
c0004.local.testiscorg.ch. 0 IN CNAME c0005.local.testiscorg.ch.
c0005.local.testiscorg.ch. 0 IN CNAME c0006.local.testiscorg.ch.
c0006.local.testiscorg.ch. 0 IN CNAME c0007.local.testiscorg.ch.
c0007.local.testiscorg.ch. 0 IN CNAME c0008.local.testiscorg.ch.
c0008.local.testiscorg.ch. 0 IN CNAME c0009.local.testiscorg.ch.
c0009.local.testiscorg.ch. 0 IN CNAME c0010.local.testiscorg.ch.
c0010.local.testiscorg.ch. 0 IN CNAME c0011.local.testiscorg.ch.
c0011.local.testiscorg.ch. 0 IN CNAME c0012.local.testiscorg.ch.
c0012.local.testiscorg.ch. 0 IN CNAME c0013.local.testiscorg.ch.
c0013.local.testiscorg.ch. 0 IN CNAME c0014.local.testiscorg.ch.
c0014.local.testiscorg.ch. 0 IN CNAME c0015.local.testiscorg.ch.
c0015.local.testiscorg.ch. 0 IN CNAME c0016.local.testiscorg.ch.
c0016.local.testiscorg.ch. 0 IN CNAME c0017.local.testiscorg.ch.
```
### What is the expected *correct* behavior?
Same output but SERVFAIL.
### Relevant logs and/or screenshots
There is no log message indicating that the chain was cut prematurely. Here's named log running at `-d 99` from the main branch: [named.log](/uploads/4e9e9f8c70bf4fbc187082914a4b06ac/named.log)
### Other implementations
- PowerDNS Recursor 4.9.1 SERVFAILs and cuts the chain on c0011
- Knot Resolver 5.7.0 SERVFAILs and cuts the chain on c0013
- Unbound 1.19.0 commit 197bf154 SERVFAILs and does not return anything in the ANSWER section. [PCAP](/uploads/abb00b0409388e4a5cedf867a934e9f7/dns.pcap) suggests it stops chasing after encountering c0011.https://gitlab.isc.org/isc-projects/bind9/-/issues/4448Improve LRU cleaning behaviour2023-12-13T16:30:56ZMark AndrewsImprove LRU cleaning behaviourThere are a number of biases in the existing LRU cleaning behaviour. We don't currently properly sweep across all locks when cleaning. We do LRU by lock rather than across all the locks.
See also #4441There are a number of biases in the existing LRU cleaning behaviour. We don't currently properly sweep across all locks when cleaning. We do LRU by lock rather than across all the locks.
See also #4441December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4445System tests leak queries to the Internet's root servers2024-03-07T22:43:52ZMark AndrewsSystem tests leak queries to the Internet's root serversRepeat by running the system tests with the following tcpdump running in the background.
`tcpdump -n not port 53 and \( host a.root-servers.net or host b.root-servers.net or c.root-servers.net or d.root-servers.net or e.root-servers.net...Repeat by running the system tests with the following tcpdump running in the background.
`tcpdump -n not port 53 and \( host a.root-servers.net or host b.root-servers.net or c.root-servers.net or d.root-servers.net or e.root-servers.net or f.root-servers.net or g.root-servers.net or h.root-servers.net or i.root-servers.net or j.root-servers.net or k.root-servers.net or l.root-servers.net or m.root-servers.net \)`
Below indicates that IPv6 source addresses are also not defined in some configurations. The 10.53.0.X addresses provide hints as to which named.conf files that need to be updated.
```
13:45:32.903806 IP 172.30.42.77.60873 > 192.5.5.241.21227: UDP, length 50
PASS: addzone
```
```
13:49:44.519687 IP6 2001:db8::dd95:3307:79b2:a757.53883 > 2001:503:ba3e::2:30.21407: UDP, length 50
13:49:44.519966 IP6 2001:db8::dd95:3307:79b2:a757.50964 > 2001:503:ba3e::2:30.21407: UDP, length 50
13:49:44.520600 IP6 2001:db8::dd95:3307:79b2:a757.58171 > 2001:503:ba3e::2:30.21407: UDP, length 40
13:49:45.319541 IP6 2001:db8::dd95:3307:79b2:a757.62356 > 2001:dc3::35.21407: UDP, length 50
13:49:45.319609 IP6 2001:db8::dd95:3307:79b2:a757.52227 > 2001:dc3::35.21407: UDP, length 50
13:49:45.319976 IP6 2001:db8::dd95:3307:79b2:a757.51695 > 2001:dc3::35.21407: UDP, length 40
13:49:45.856216 IP6 2001:db8::dd95:3307:79b2:a757.52818 > 2001:500:2::c.21407: UDP, length 50
13:49:45.856698 IP6 2001:db8::dd95:3307:79b2:a757.50991 > 2001:500:2::c.21407: UDP, length 40
13:49:45.856766 IP6 2001:db8::dd95:3307:79b2:a757.60550 > 2001:500:2::c.21407: UDP, length 50
13:49:46.657781 IP6 2001:db8::dd95:3307:79b2:a757.59434 > 2001:500:9f::42.21407: UDP, length 50
13:49:46.657833 IP6 2001:db8::dd95:3307:79b2:a757.57608 > 2001:500:9f::42.21407: UDP, length 40
13:49:46.657905 IP6 2001:db8::dd95:3307:79b2:a757.64245 > 2001:500:9f::42.21407: UDP, length 50
13:49:47.460515 IP6 2001:db8::dd95:3307:79b2:a757.57232 > 2001:500:2d::d.21407: UDP, length 50
13:49:47.460588 IP6 2001:db8::dd95:3307:79b2:a757.61631 > 2001:500:2d::d.21407: UDP, length 40
13:49:47.460649 IP6 2001:db8::dd95:3307:79b2:a757.59137 > 2001:500:2d::d.21407: UDP, length 50
13:49:47.742435 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 106
13:49:47.742437 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
13:49:47.748681 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 106
13:49:48.545822 IP6 2001:db8::dd95:3307:79b2:a757.55127 > 2001:500:a8::e.21407: UDP, length 50
13:49:48.545881 IP6 2001:db8::dd95:3307:79b2:a757.60845 > 2001:500:a8::e.21407: UDP, length 40
13:49:48.550855 IP6 2001:db8::dd95:3307:79b2:a757.52374 > 2001:500:a8::e.21407: UDP, length 50
13:49:49.348348 IP6 2001:db8::dd95:3307:79b2:a757.63327 > 2001:7fe::53.21407: UDP, length 50
13:49:49.348661 IP6 2001:db8::dd95:3307:79b2:a757.60846 > 2001:7fe::53.21407: UDP, length 40
13:49:49.351255 IP6 2001:db8::dd95:3307:79b2:a757.54220 > 2001:7fe::53.21407: UDP, length 50
13:49:49.653093 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 21407, length 106
13:49:49.655304 IP6 2001:db8::dd95:3307:79b2:a757.64039 > 2001:503:c27::2:30.21407: UDP, length 50
13:49:49.656640 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 21407, length 96
13:49:49.656643 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 21407, length 106
13:49:49.659222 IP6 2001:db8::dd95:3307:79b2:a757.56521 > 2001:503:c27::2:30.21407: UDP, length 40
13:49:49.660452 IP6 2001:db8::dd95:3307:79b2:a757.52052 > 2001:503:c27::2:30.21407: UDP, length 50
13:49:50.455250 IP6 2001:db8::dd95:3307:79b2:a757.57933 > 2001:500:12::d0d.21407: UDP, length 50
13:49:50.460440 IP6 2001:db8::dd95:3307:79b2:a757.52482 > 2001:500:12::d0d.21407: UDP, length 40
13:49:50.460493 IP6 2001:db8::dd95:3307:79b2:a757.63654 > 2001:500:12::d0d.21407: UDP, length 50
13:49:51.256274 IP6 2001:db8::dd95:3307:79b2:a757.64358 > 2001:7fd::1.21407: UDP, length 50
13:49:51.261276 IP6 2001:db8::dd95:3307:79b2:a757.54833 > 2001:7fd::1.21407: UDP, length 40
13:49:51.261346 IP6 2001:db8::dd95:3307:79b2:a757.59390 > 2001:7fd::1.21407: UDP, length 50
PASS: chain
```
```
13:57:40.494702 IP6 2001:db8::dd95:3307:79b2:a757.52135 > 2001:500:2d::d.21647: UDP, length 40
13:57:40.495221 IP6 2001:db8::dd95:3307:79b2:a757.63119 > 2001:500:2d::d.21647: UDP, length 40
13:57:40.777511 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
13:57:40.779919 IP6 2001:db8::dd95:3307:79b2:a757.56338 > 2001:500:1::53.21647: UDP, length 40
13:57:40.781191 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
13:57:40.783469 IP6 2001:db8::dd95:3307:79b2:a757.59194 > 2001:500:1::53.21647: UDP, length 40
13:57:41.110562 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
13:57:41.110565 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
13:57:41.113685 IP6 2001:db8::dd95:3307:79b2:a757.54225 > 2001:500:2f::f.21647: UDP, length 40
13:57:41.115331 IP6 2001:db8::dd95:3307:79b2:a757.50245 > 2001:500:2f::f.21647: UDP, length 40
13:57:41.400509 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
13:57:41.400511 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
13:57:41.403418 IP6 2001:db8::dd95:3307:79b2:a757.53361 > 2001:500:2::c.21647: UDP, length 40
13:57:41.404564 IP6 2001:db8::dd95:3307:79b2:a757.59085 > 2001:500:2::c.21647: UDP, length 40
13:57:42.204930 IP6 2001:db8::dd95:3307:79b2:a757.60371 > 2001:503:ba3e::2:30.21647: UDP, length 40
13:57:42.206329 IP6 2001:db8::dd95:3307:79b2:a757.55110 > 2001:503:ba3e::2:30.21647: UDP, length 40
13:57:43.005322 IP6 2001:db8::dd95:3307:79b2:a757.49424 > 2001:500:12::d0d.21647: UDP, length 40
13:57:43.006542 IP6 2001:db8::dd95:3307:79b2:a757.54969 > 2001:500:12::d0d.21647: UDP, length 40
13:57:43.807360 IP6 2001:db8::dd95:3307:79b2:a757.55498 > 2001:500:9f::42.21647: UDP, length 40
13:57:43.807422 IP6 2001:db8::dd95:3307:79b2:a757.61021 > 2001:500:9f::42.21647: UDP, length 40
13:57:44.609337 IP6 2001:db8::dd95:3307:79b2:a757.60544 > 2001:7fe::53.21647: UDP, length 40
13:57:44.609398 IP6 2001:db8::dd95:3307:79b2:a757.62701 > 2001:7fe::53.21647: UDP, length 40
13:57:44.893809 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 21647, length 96
13:57:44.895366 IP6 2001:db8::dd95:3307:79b2:a757.64522 > 2001:503:c27::2:30.21647: UDP, length 40
13:57:44.896731 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 21647, length 96
13:57:44.897784 IP6 2001:db8::dd95:3307:79b2:a757.49400 > 2001:503:c27::2:30.21647: UDP, length 40
13:57:45.698703 IP6 2001:db8::dd95:3307:79b2:a757.53756 > 2001:7fd::1.21647: UDP, length 40
13:57:45.698745 IP6 2001:db8::dd95:3307:79b2:a757.49518 > 2001:7fd::1.21647: UDP, length 40
13:57:46.500638 IP6 2001:db8::dd95:3307:79b2:a757.58277 > 2001:dc3::35.21647: UDP, length 40
13:57:46.500693 IP6 2001:db8::dd95:3307:79b2:a757.55364 > 2001:dc3::35.21647: UDP, length 40
13:57:47.589765 IP6 2001:db8::dd95:3307:79b2:a757.49803 > 2001:500:a8::e.21647: UDP, length 40
13:57:47.589825 IP6 2001:db8::dd95:3307:79b2:a757.50739 > 2001:500:a8::e.21647: UDP, length 40
13:57:48.391694 IP 10.53.0.4.53727 > 199.7.91.13.21647: UDP, length 40
13:57:48.391757 IP 10.53.0.4.53585 > 199.7.91.13.21647: UDP, length 40
13:57:49.192290 IP 10.53.0.4.50918 > 198.97.190.53.21647: UDP, length 40
13:57:49.192344 IP 10.53.0.4.51575 > 198.97.190.53.21647: UDP, length 40
13:57:49.993845 IP 10.53.0.4.56907 > 192.5.5.241.21647: UDP, length 40
13:57:49.993909 IP 10.53.0.4.51738 > 192.5.5.241.21647: UDP, length 40
PASS: dnssec
```
```
14:03:57.044333 IP6 2001:db8::dd95:3307:79b2:a757.64088 > 2001:7fe::53.22108: UDP, length 40
14:03:57.044799 IP6 2001:db8::dd95:3307:79b2:a757.62018 > 2001:7fe::53.22108: UDP, length 40
14:03:57.326859 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:03:57.329944 IP6 2001:db8::dd95:3307:79b2:a757.64230 > 2001:500:2d::d.22108: UDP, length 40
14:03:57.331372 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:03:57.332688 IP6 2001:db8::dd95:3307:79b2:a757.65362 > 2001:500:2d::d.22108: UDP, length 40
14:03:57.443171 IP6 2001:db8::dd95:3307:79b2:a757.59097 > 2001:503:c27::2:30.22108: UDP, length 40
14:03:57.443665 IP6 2001:db8::dd95:3307:79b2:a757.57934 > 2001:503:c27::2:30.22108: UDP, length 40
14:03:57.609806 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:03:57.611285 IP6 2001:db8::dd95:3307:79b2:a757.59204 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:03:57.618209 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:03:57.619538 IP6 2001:db8::dd95:3307:79b2:a757.60758 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:03:58.243496 IP6 2001:db8::dd95:3307:79b2:a757.60401 > 2001:500:12::d0d.22108: UDP, length 40
14:03:58.243894 IP6 2001:db8::dd95:3307:79b2:a757.62132 > 2001:500:12::d0d.22108: UDP, length 40
14:03:58.412158 IP6 2001:db8::dd95:3307:79b2:a757.50936 > 2001:dc3::35.22108: UDP, length 40
14:03:58.420649 IP6 2001:db8::dd95:3307:79b2:a757.57891 > 2001:dc3::35.22108: UDP, length 40
14:03:58.695207 IP6 2001:db8::dd95:3307:79b2:a757.62995 > 2001:500:2f::f.22108: UDP, length 40
14:03:58.703694 IP6 2001:db8::dd95:3307:79b2:a757.56555 > 2001:500:2f::f.22108: UDP, length 40
14:03:58.978348 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:03:58.980723 IP6 2001:db8::dd95:3307:79b2:a757.60396 > 2001:500:12::d0d.22108: UDP, length 40
14:03:58.992195 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:03:58.994195 IP6 2001:db8::dd95:3307:79b2:a757.53813 > 2001:500:12::d0d.22108: UDP, length 40
14:03:59.043887 IP6 2001:db8::dd95:3307:79b2:a757.64594 > 2001:500:2f::f.22108: UDP, length 40
14:03:59.043976 IP6 2001:db8::dd95:3307:79b2:a757.55274 > 2001:500:2f::f.22108: UDP, length 40
14:03:59.325896 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:03:59.325898 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:03:59.328942 IP6 2001:db8::dd95:3307:79b2:a757.57787 > 2001:7fd::1.22108: UDP, length 40
14:03:59.330024 IP6 2001:db8::dd95:3307:79b2:a757.52131 > 2001:7fd::1.22108: UDP, length 40
14:03:59.780834 IP6 2001:db8::dd95:3307:79b2:a757.52814 > 2001:7fd::1.22108: UDP, length 40
14:03:59.795257 IP6 2001:db8::dd95:3307:79b2:a757.62281 > 2001:7fd::1.22108: UDP, length 40
14:04:00.581933 IP6 2001:db8::dd95:3307:79b2:a757.60265 > 2001:500:9f::42.22108: UDP, length 40
14:04:00.595620 IP6 2001:db8::dd95:3307:79b2:a757.65108 > 2001:500:9f::42.22108: UDP, length 40
14:04:00.933569 IP6 2001:db8::dd95:3307:79b2:a757.54329 > 2001:500:1::53.22108: UDP, length 40
14:04:00.933926 IP6 2001:db8::dd95:3307:79b2:a757.61304 > 2001:500:1::53.22108: UDP, length 40
14:04:01.248055 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:01.248057 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:01.250081 IP6 2001:db8::dd95:3307:79b2:a757.60521 > 2001:7fe::53.22108: UDP, length 40
14:04:01.250445 IP6 2001:db8::dd95:3307:79b2:a757.54795 > 2001:7fe::53.22108: UDP, length 40
14:04:01.385895 IP6 2001:db8::dd95:3307:79b2:a757.51652 > 2001:500:a8::e.22108: UDP, length 40
14:04:01.396460 IP6 2001:db8::dd95:3307:79b2:a757.49428 > 2001:500:a8::e.22108: UDP, length 40
14:04:01.536550 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:04:01.536551 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:04:01.537964 IP6 2001:db8::dd95:3307:79b2:a757.55462 > 2001:dc3::35.22108: UDP, length 40
14:04:01.538959 IP6 2001:db8::dd95:3307:79b2:a757.52357 > 2001:dc3::35.22108: UDP, length 40
14:04:01.866942 IP6 2001:db8::dd95:3307:79b2:a757.58609 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:04:01.867226 IP6 2001:db8::dd95:3307:79b2:a757.59524 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:04:02.185312 IP6 2001:db8::dd95:3307:79b2:a757.60572 > 2001:500:1::53.22108: UDP, length 40
14:04:02.199159 IP6 2001:db8::dd95:3307:79b2:a757.54607 > 2001:500:1::53.22108: UDP, length 40
14:04:02.494330 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:02.495657 IP6 2001:db8::dd95:3307:79b2:a757.56624 > 2001:500:2::c.22108: UDP, length 40
14:04:02.508077 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:02.509339 IP6 2001:db8::dd95:3307:79b2:a757.55327 > 2001:500:2::c.22108: UDP, length 40
14:04:02.668039 IP6 2001:db8::dd95:3307:79b2:a757.55201 > 2001:500:2::c.22108: UDP, length 40
14:04:02.668097 IP6 2001:db8::dd95:3307:79b2:a757.54387 > 2001:500:2::c.22108: UDP, length 40
14:04:03.297181 IP6 2001:db8::dd95:3307:79b2:a757.51242 > 2001:503:c27::2:30.22108: UDP, length 40
14:04:03.310295 IP6 2001:db8::dd95:3307:79b2:a757.56361 > 2001:503:c27::2:30.22108: UDP, length 40
14:04:03.473724 IP6 2001:db8::dd95:3307:79b2:a757.58391 > 2001:500:a8::e.22108: UDP, length 40
14:04:03.473982 IP6 2001:db8::dd95:3307:79b2:a757.60433 > 2001:500:a8::e.22108: UDP, length 40
14:04:04.272365 IP6 2001:db8::dd95:3307:79b2:a757.56302 > 2001:500:2d::d.22108: UDP, length 40
14:04:04.272448 IP6 2001:db8::dd95:3307:79b2:a757.52967 > 2001:500:2d::d.22108: UDP, length 40
14:04:04.554932 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:04:04.554934 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:04:04.557466 IP6 2001:db8::dd95:3307:79b2:a757.62531 > 2001:500:9f::42.22108: UDP, length 40
14:04:04.557771 IP6 2001:db8::dd95:3307:79b2:a757.50514 > 2001:500:9f::42.22108: UDP, length 40
14:04:04.898560 IP 10.53.0.5.54966 > 192.36.148.17.22108: UDP, length 40
14:04:04.913295 IP 10.53.0.5.61035 > 192.36.148.17.22108: UDP, length 40
14:04:05.360030 IP 10.53.0.7.59188 > 192.58.128.30.22108: UDP, length 40
14:04:05.360116 IP 10.53.0.7.59010 > 192.58.128.30.22108: UDP, length 40
14:04:05.699941 IP 10.53.0.5.59742 > 199.7.91.13.22108: UDP, length 40
14:04:05.713505 IP 10.53.0.5.58815 > 199.7.91.13.22108: UDP, length 40
14:04:06.161758 IP 10.53.0.7.57834 > 192.112.36.4.22108: UDP, length 40
14:04:06.162124 IP 10.53.0.7.56571 > 192.112.36.4.22108: UDP, length 40
14:04:06.501651 IP 10.53.0.5.50453 > 198.41.0.4.22108: UDP, length 40
14:04:06.514994 IP 10.53.0.5.60515 > 198.41.0.4.22108: UDP, length 40
14:04:06.962117 IP 10.53.0.7.52088 > 192.5.5.241.22108: UDP, length 40
14:04:06.962365 IP 10.53.0.7.63453 > 192.5.5.241.22108: UDP, length 40
14:04:09.508465 IP6 2001:db8::dd95:3307:79b2:a757.51228 > 2001:500:2f::f.22108: UDP, length 40
14:04:09.509062 IP6 2001:db8::dd95:3307:79b2:a757.62936 > 2001:500:2f::f.22108: UDP, length 40
14:04:09.789597 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:04:09.791254 IP6 2001:db8::dd95:3307:79b2:a757.62445 > 2001:500:2d::d.22108: UDP, length 40
14:04:09.792984 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:04:09.794026 IP6 2001:db8::dd95:3307:79b2:a757.57036 > 2001:500:2d::d.22108: UDP, length 40
14:04:10.073708 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:04:10.076067 IP6 2001:db8::dd95:3307:79b2:a757.62489 > 2001:500:2::c.22108: UDP, length 40
14:04:10.078325 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:04:10.080298 IP6 2001:db8::dd95:3307:79b2:a757.60202 > 2001:500:2::c.22108: UDP, length 40
14:04:10.876989 IP6 2001:db8::dd95:3307:79b2:a757.58352 > 2001:7fe::53.22108: UDP, length 40
14:04:10.880736 IP6 2001:db8::dd95:3307:79b2:a757.60436 > 2001:7fe::53.22108: UDP, length 40
14:04:11.216383 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:04:11.216385 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22108, length 96
14:04:12.019633 IP6 2001:db8::dd95:3307:79b2:a757.52013 > 2001:dc3::35.22108: UDP, length 40
14:04:12.019820 IP6 2001:db8::dd95:3307:79b2:a757.50341 > 2001:dc3::35.22108: UDP, length 40
14:04:12.305687 IP6 2001:db8::dd95:3307:79b2:a757.50667 > 2001:500:a8::e.22108: UDP, length 40
14:04:12.308577 IP6 2001:db8::dd95:3307:79b2:a757.52344 > 2001:500:a8::e.22108: UDP, length 40
14:04:13.107623 IP6 2001:db8::dd95:3307:79b2:a757.50588 > 2001:7fd::1.22108: UDP, length 40
14:04:13.109395 IP6 2001:db8::dd95:3307:79b2:a757.56158 > 2001:7fd::1.22108: UDP, length 40
14:04:13.909085 IP6 2001:db8::dd95:3307:79b2:a757.53223 > 2001:500:1::53.22108: UDP, length 40
14:04:13.910489 IP6 2001:db8::dd95:3307:79b2:a757.52778 > 2001:500:1::53.22108: UDP, length 40
14:04:14.217869 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:14.219787 IP6 2001:db8::dd95:3307:79b2:a757.58644 > 2001:503:c27::2:30.22108: UDP, length 40
14:04:14.223271 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:04:14.224772 IP6 2001:db8::dd95:3307:79b2:a757.60902 > 2001:503:c27::2:30.22108: UDP, length 40
14:04:15.022609 IP6 2001:db8::dd95:3307:79b2:a757.54964 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:04:15.026722 IP6 2001:db8::dd95:3307:79b2:a757.53663 > 2001:503:ba3e::2:30.22108: UDP, length 40
14:04:15.823220 IP6 2001:db8::dd95:3307:79b2:a757.61758 > 2001:500:9f::42.22108: UDP, length 40
14:04:15.827381 IP6 2001:db8::dd95:3307:79b2:a757.54810 > 2001:500:9f::42.22108: UDP, length 40
14:04:16.624127 IP6 2001:db8::dd95:3307:79b2:a757.55931 > 2001:500:12::d0d.22108: UDP, length 40
14:04:16.626560 IP6 2001:db8::dd95:3307:79b2:a757.64091 > 2001:500:12::d0d.22108: UDP, length 40
14:04:17.424805 IP 10.53.0.5.64921 > 192.5.5.241.22108: UDP, length 40
14:04:17.425691 IP 10.53.0.5.52427 > 192.5.5.241.22108: UDP, length 40
14:04:18.226071 IP 10.53.0.5.62989 > 199.7.91.13.22108: UDP, length 40
14:04:18.227192 IP 10.53.0.5.60869 > 199.7.91.13.22108: UDP, length 40
14:04:19.026522 IP 10.53.0.5.60641 > 192.33.4.12.22108: UDP, length 40
14:04:19.027531 IP 10.53.0.5.61061 > 192.33.4.12.22108: UDP, length 40
14:05:34.187803 IP6 2001:db8::dd95:3307:79b2:a757.54293 > 2001:500:9f::42.22128: UDP, length 40
14:05:34.188165 IP6 2001:db8::dd95:3307:79b2:a757.64010 > 2001:500:9f::42.22128: UDP, length 40
14:05:34.558465 IP6 2001:db8::dd95:3307:79b2:a757.52712 > 2001:500:2d::d.22128: UDP, length 40
14:05:34.558786 IP6 2001:db8::dd95:3307:79b2:a757.57096 > 2001:500:2d::d.22128: UDP, length 40
14:05:35.023699 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:05:35.023700 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
PASS: inline
```
```
14:08:13.369261 IP6 2001:db8::dd95:3307:79b2:a757.51634 > 2001:503:ba3e::2:30.22208: UDP, length 63
14:08:13.369718 IP6 2001:db8::dd95:3307:79b2:a757.59979 > 2001:503:ba3e::2:30.22208: UDP, length 40
14:08:14.169018 IP6 2001:db8::dd95:3307:79b2:a757.54780 > 2001:7fe::53.22208: UDP, length 63
14:08:14.170498 IP6 2001:db8::dd95:3307:79b2:a757.60950 > 2001:7fe::53.22208: UDP, length 40
14:08:14.463264 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 119
14:08:14.463265 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 96
14:08:14.465094 IP6 2001:db8::dd95:3307:79b2:a757.59857 > 2001:dc3::35.22208: UDP, length 63
14:08:14.465357 IP6 2001:db8::dd95:3307:79b2:a757.63926 > 2001:dc3::35.22208: UDP, length 40
14:08:14.749914 IP6 2001:db8::dd95:3307:79b2:a757.52224 > 2001:500:2::c.22208: UDP, length 63
14:08:14.750173 IP6 2001:db8::dd95:3307:79b2:a757.57842 > 2001:500:2::c.22208: UDP, length 40
14:08:15.551887 IP6 2001:db8::dd95:3307:79b2:a757.65422 > 2001:500:12::d0d.22208: UDP, length 63
14:08:15.551950 IP6 2001:db8::dd95:3307:79b2:a757.56698 > 2001:500:12::d0d.22208: UDP, length 40
14:08:16.352412 IP6 2001:db8::dd95:3307:79b2:a757.65499 > 2001:500:2f::f.22208: UDP, length 63
14:08:16.352478 IP6 2001:db8::dd95:3307:79b2:a757.59847 > 2001:500:2f::f.22208: UDP, length 40
14:08:16.703959 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:08:16.703961 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 119
14:08:16.706219 IP6 2001:db8::dd95:3307:79b2:a757.58862 > 2001:500:2d::d.22208: UDP, length 40
14:08:16.706507 IP6 2001:db8::dd95:3307:79b2:a757.60149 > 2001:500:2d::d.22208: UDP, length 63
14:08:16.988674 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:08:16.992645 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 119
14:08:17.790901 IP6 2001:db8::dd95:3307:79b2:a757.55202 > 2001:503:c27::2:30.22208: UDP, length 40
14:08:17.794697 IP6 2001:db8::dd95:3307:79b2:a757.53687 > 2001:503:c27::2:30.22208: UDP, length 63
14:08:18.592219 IP6 2001:db8::dd95:3307:79b2:a757.63763 > 2001:7fd::1.22208: UDP, length 40
14:08:18.594711 IP6 2001:db8::dd95:3307:79b2:a757.64419 > 2001:7fd::1.22208: UDP, length 63
14:08:19.392933 IP6 2001:db8::dd95:3307:79b2:a757.57214 > 2001:500:9f::42.22208: UDP, length 40
14:08:19.395581 IP6 2001:db8::dd95:3307:79b2:a757.50216 > 2001:500:9f::42.22208: UDP, length 63
14:08:20.174200 IP6 2001:db8::dd95:3307:79b2:a757.60458 > 2001:500:9f::42.22208: UDP, length 58
14:08:20.194401 IP6 2001:db8::dd95:3307:79b2:a757.65226 > 2001:500:1::53.22208: UDP, length 40
14:08:20.195829 IP6 2001:db8::dd95:3307:79b2:a757.64534 > 2001:500:1::53.22208: UDP, length 63
14:08:20.510430 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:08:20.511900 IP6 2001:db8::dd95:3307:79b2:a757.60085 > 2001:500:a8::e.22208: UDP, length 40
14:08:20.513560 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 119
14:08:20.514998 IP6 2001:db8::dd95:3307:79b2:a757.61176 > 2001:500:a8::e.22208: UDP, length 63
14:08:20.974161 IP6 2001:db8::dd95:3307:79b2:a757.55785 > 2001:500:1::53.22208: UDP, length 58
14:08:21.298794 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 114
14:08:21.300101 IP6 2001:db8::dd95:3307:79b2:a757.50470 > 2001:500:a8::e.22208: UDP, length 58
14:08:21.312726 IP 10.53.0.3.57834 > 198.41.0.4.22208: UDP, length 40
14:08:21.315208 IP 10.53.0.3.55514 > 198.41.0.4.22208: UDP, length 63
14:08:22.099716 IP6 2001:db8::dd95:3307:79b2:a757.54499 > 2001:500:2::c.22208: UDP, length 58
14:08:22.113684 IP 10.53.0.3.65458 > 192.36.148.17.22208: UDP, length 40
14:08:22.115176 IP 10.53.0.3.61795 > 192.36.148.17.22208: UDP, length 63
14:08:22.900866 IP6 2001:db8::dd95:3307:79b2:a757.62269 > 2001:500:12::d0d.22208: UDP, length 58
14:08:22.915683 IP 10.53.0.3.58900 > 202.12.27.33.22208: UDP, length 40
14:08:22.915761 IP 10.53.0.3.57441 > 202.12.27.33.22208: UDP, length 63
14:08:23.701751 IP 10.53.0.3.58440 > 192.36.148.17.22208: UDP, length 58
14:08:24.501849 IP 10.53.0.3.52939 > 192.5.5.241.22208: UDP, length 58
14:08:25.302875 IP 10.53.0.3.54556 > 202.12.27.33.22208: UDP, length 58
14:08:26.904520 IP 10.53.0.3.58448 > 199.7.91.13.22208: UDP, length 58
14:08:27.706565 IP 10.53.0.3.53813 > 198.41.0.4.22208: UDP, length 58
14:08:28.505617 IP 10.53.0.3.54955 > 192.58.128.30.22208: UDP, length 58
14:08:28.727581 IP6 2001:db8::dd95:3307:79b2:a757.55704 > 2001:500:2::c.22208: UDP, length 59
14:08:28.728103 IP6 2001:db8::dd95:3307:79b2:a757.62304 > 2001:500:2::c.22208: UDP, length 40
14:08:29.307144 IP 10.53.0.3.54148 > 193.0.14.129.22208: UDP, length 58
14:08:29.531467 IP6 2001:db8::dd95:3307:79b2:a757.60395 > 2001:500:9f::42.22208: UDP, length 59
14:08:29.532443 IP6 2001:db8::dd95:3307:79b2:a757.61481 > 2001:500:9f::42.22208: UDP, length 40
14:08:30.108423 IP 10.53.0.3.57950 > 199.7.83.42.22208: UDP, length 58
14:08:30.328224 IP 10.53.0.3.59756 > 192.203.230.10.22208: UDP, length 59
14:08:30.331952 IP 10.53.0.3.57058 > 192.203.230.10.22208: UDP, length 40
14:08:31.129471 IP 10.53.0.3.63375 > 192.58.128.30.22208: UDP, length 59
14:08:31.132114 IP 10.53.0.3.58002 > 192.58.128.30.22208: UDP, length 40
14:08:31.929166 IP 10.53.0.3.65014 > 192.112.36.4.22208: UDP, length 59
14:08:31.931843 IP 10.53.0.3.56982 > 192.112.36.4.22208: UDP, length 40
14:08:32.729876 IP 10.53.0.3.59115 > 198.97.190.53.22208: UDP, length 59
14:08:32.732584 IP 10.53.0.3.62227 > 198.97.190.53.22208: UDP, length 40
14:08:33.531995 IP 10.53.0.3.49767 > 193.0.14.129.22208: UDP, length 59
14:08:33.532657 IP 10.53.0.3.63660 > 193.0.14.129.22208: UDP, length 40
14:08:34.331624 IP6 2001:db8::dd95:3307:79b2:a757.61697 > 2001:7fe::53.22208: UDP, length 59
14:08:34.333094 IP6 2001:db8::dd95:3307:79b2:a757.53340 > 2001:7fe::53.22208: UDP, length 40
14:08:34.634985 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 115
14:08:34.634986 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 96
14:08:34.636721 IP 10.53.0.3.54515 > 192.5.5.241.22208: UDP, length 59
14:08:34.637041 IP 10.53.0.3.64173 > 192.5.5.241.22208: UDP, length 40
14:08:34.684617 IP 10.53.0.3.55042 > 192.33.4.12.22208: UDP, length 45
14:08:35.486310 IP 10.53.0.3.54248 > 192.58.128.30.22208: UDP, length 45
14:08:36.239203 IP6 2001:db8::dd95:3307:79b2:a757.56029 > 2001:500:2d::d.22208: UDP, length 59
14:08:36.239264 IP6 2001:db8::dd95:3307:79b2:a757.59005 > 2001:500:2d::d.22208: UDP, length 40
14:08:36.287095 IP 10.53.0.3.61322 > 199.7.83.42.22208: UDP, length 45
14:08:36.522423 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 115
14:08:36.523857 IP6 2001:db8::dd95:3307:79b2:a757.58981 > 2001:503:ba3e::2:30.22208: UDP, length 59
14:08:36.524018 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:08:36.525378 IP6 2001:db8::dd95:3307:79b2:a757.56805 > 2001:503:ba3e::2:30.22208: UDP, length 40
14:08:37.087597 IP 10.53.0.3.56571 > 198.97.190.53.22208: UDP, length 45
14:08:37.324232 IP6 2001:db8::dd95:3307:79b2:a757.64432 > 2001:dc3::35.22208: UDP, length 59
14:08:37.325660 IP6 2001:db8::dd95:3307:79b2:a757.62248 > 2001:dc3::35.22208: UDP, length 40
14:08:37.710495 IP 10.53.0.3.65024 > 192.33.4.12.22208: UDP, length 59
14:08:37.710918 IP 10.53.0.3.59845 > 192.33.4.12.22208: UDP, length 40
14:08:37.889309 IP 10.53.0.3.62788 > 193.0.14.129.22208: UDP, length 45
14:08:38.512769 IP 10.53.0.3.64447 > 199.7.83.42.22208: UDP, length 59
14:08:38.512838 IP 10.53.0.3.59814 > 199.7.83.42.22208: UDP, length 40
14:08:38.689955 IP 10.53.0.3.49788 > 192.5.5.241.22208: UDP, length 45
14:08:40.292075 IP6 2001:db8::dd95:3307:79b2:a757.63735 > 2001:7fe::53.22208: UDP, length 45
14:08:40.580303 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 101
14:08:40.581810 IP6 2001:db8::dd95:3307:79b2:a757.51544 > 2001:500:2d::d.22208: UDP, length 45
14:08:40.989599 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 101
14:08:40.991882 IP 10.53.0.3.50792 > 192.203.230.10.22208: UDP, length 45
14:08:41.793532 IP6 2001:db8::dd95:3307:79b2:a757.57452 > 2001:500:12::d0d.22208: UDP, length 45
14:08:42.594093 IP6 2001:db8::dd95:3307:79b2:a757.63684 > 2001:503:ba3e::2:30.22208: UDP, length 45
14:08:43.394482 IP6 2001:db8::dd95:3307:79b2:a757.51155 > 2001:dc3::35.22208: UDP, length 45
14:08:43.678683 IP6 2001:db8::dd95:3307:79b2:a757.60816 > 2001:500:2::c.22208: UDP, length 45
14:08:44.480236 IP6 2001:db8::dd95:3307:79b2:a757.64127 > 2001:503:c27::2:30.22208: UDP, length 45
14:08:53.810497 IP6 2001:db8::dd95:3307:79b2:a757.62976 > 2001:7fe::53.22208: UDP, length 60
14:08:53.810995 IP6 2001:db8::dd95:3307:79b2:a757.52934 > 2001:7fe::53.22208: UDP, length 40
14:08:54.092626 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 116
14:08:54.092628 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22208, length 96
14:08:54.095284 IP6 2001:db8::dd95:3307:79b2:a757.56286 > 2001:500:2d::d.22208: UDP, length 60
14:08:54.095979 IP6 2001:db8::dd95:3307:79b2:a757.50686 > 2001:500:2d::d.22208: UDP, length 40
14:08:54.378660 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 116
14:08:54.380637 IP6 2001:db8::dd95:3307:79b2:a757.53086 > 2001:503:ba3e::2:30.22208: UDP, length 60
14:08:54.384138 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:08:54.386546 IP6 2001:db8::dd95:3307:79b2:a757.51648 > 2001:503:ba3e::2:30.22208: UDP, length 40
14:08:55.182261 IP6 2001:db8::dd95:3307:79b2:a757.56890 > 2001:500:9f::42.22208: UDP, length 60
14:08:55.187216 IP6 2001:db8::dd95:3307:79b2:a757.59324 > 2001:500:9f::42.22208: UDP, length 40
14:08:55.982801 IP6 2001:db8::dd95:3307:79b2:a757.49947 > 2001:500:1::53.22208: UDP, length 60
14:08:55.988121 IP6 2001:db8::dd95:3307:79b2:a757.62385 > 2001:500:1::53.22208: UDP, length 40
14:08:56.344921 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 116
14:08:56.344923 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:08:56.347141 IP6 2001:db8::dd95:3307:79b2:a757.58793 > 2001:500:12::d0d.22208: UDP, length 60
14:08:56.347472 IP6 2001:db8::dd95:3307:79b2:a757.61704 > 2001:500:12::d0d.22208: UDP, length 40
14:08:57.950183 IP6 2001:db8::dd95:3307:79b2:a757.64621 > 2001:500:2f::f.22208: UDP, length 60
14:08:57.950266 IP6 2001:db8::dd95:3307:79b2:a757.59211 > 2001:500:2f::f.22208: UDP, length 40
14:08:58.246721 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 116
14:08:58.246722 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:08:58.248570 IP6 2001:db8::dd95:3307:79b2:a757.50815 > 2001:dc3::35.22208: UDP, length 60
14:08:58.248835 IP6 2001:db8::dd95:3307:79b2:a757.58438 > 2001:dc3::35.22208: UDP, length 40
14:08:58.535267 IP6 2001:db8::dd95:3307:79b2:a757.59561 > 2001:500:a8::e.22208: UDP, length 60
14:08:58.539097 IP6 2001:db8::dd95:3307:79b2:a757.51566 > 2001:500:a8::e.22208: UDP, length 40
14:08:59.335863 IP6 2001:db8::dd95:3307:79b2:a757.59731 > 2001:500:2::c.22208: UDP, length 60
14:08:59.340049 IP6 2001:db8::dd95:3307:79b2:a757.58883 > 2001:500:2::c.22208: UDP, length 40
14:09:00.135608 IP6 2001:db8::dd95:3307:79b2:a757.50623 > 2001:503:c27::2:30.22208: UDP, length 60
14:09:00.140691 IP6 2001:db8::dd95:3307:79b2:a757.52842 > 2001:503:c27::2:30.22208: UDP, length 40
14:09:00.937478 IP6 2001:db8::dd95:3307:79b2:a757.54242 > 2001:7fd::1.22208: UDP, length 60
14:09:00.942036 IP6 2001:db8::dd95:3307:79b2:a757.56373 > 2001:7fd::1.22208: UDP, length 40
14:09:01.737774 IP 10.53.0.6.61815 > 192.36.148.17.22208: UDP, length 60
14:09:01.741918 IP 10.53.0.6.63154 > 192.36.148.17.22208: UDP, length 40
14:09:02.539402 IP 10.53.0.6.54479 > 199.7.91.13.22208: UDP, length 60
14:09:02.542500 IP 10.53.0.6.64191 > 199.7.91.13.22208: UDP, length 40
14:09:03.339293 IP 10.53.0.6.53580 > 198.41.0.4.22208: UDP, length 60
14:09:03.341951 IP 10.53.0.6.53710 > 198.41.0.4.22208: UDP, length 40
14:09:05.329049 IP6 2001:db8::dd95:3307:79b2:a757.63202 > 2001:500:9f::42.22208: UDP, length 64
14:09:05.329499 IP6 2001:db8::dd95:3307:79b2:a757.51965 > 2001:500:9f::42.22208: UDP, length 40
14:09:06.128970 IP 10.53.0.6.50825 > 193.0.14.129.22208: UDP, length 64
14:09:06.129321 IP 10.53.0.6.50271 > 193.0.14.129.22208: UDP, length 40
14:09:06.930166 IP 10.53.0.6.56274 > 192.58.128.30.22208: UDP, length 64
14:09:06.930224 IP 10.53.0.6.50387 > 192.58.128.30.22208: UDP, length 40
14:09:07.730861 IP 10.53.0.6.57494 > 192.33.4.12.22208: UDP, length 64
14:09:07.730930 IP 10.53.0.6.56907 > 192.33.4.12.22208: UDP, length 40
PASS: kasp
```
```
14:14:46.693309 IP6 2001:db8::dd95:3307:79b2:a757.61058 > 2001:500:12::d0d.22528: UDP, length 44
14:14:47.494162 IP6 2001:db8::dd95:3307:79b2:a757.50430 > 2001:500:a8::e.22528: UDP, length 40
14:14:47.494227 IP6 2001:db8::dd95:3307:79b2:a757.52990 > 2001:500:a8::e.22528: UDP, length 44
14:14:48.293133 IP6 2001:db8::dd95:3307:79b2:a757.65477 > 2001:500:2::c.22528: UDP, length 40
14:14:48.293193 IP6 2001:db8::dd95:3307:79b2:a757.56427 > 2001:500:2::c.22528: UDP, length 44
14:14:49.098652 IP6 2001:db8::dd95:3307:79b2:a757.52036 > 2001:7fe::53.22528: UDP, length 40
14:14:49.098657 IP6 2001:db8::dd95:3307:79b2:a757.57507 > 2001:7fe::53.22528: UDP, length 44
14:14:49.387142 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22528, length 96
14:14:49.389655 IP6 2001:db8::dd95:3307:79b2:a757.56323 > 2001:500:2d::d.22528: UDP, length 40
14:14:49.391518 IP6 2001:7fe::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable port, 2001:7fe::53 udp port 22528, length 100
14:14:49.393828 IP6 2001:db8::dd95:3307:79b2:a757.58548 > 2001:500:2d::d.22528: UDP, length 44
14:14:49.738700 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 96
14:14:49.738703 IP6 2001:500:2d::d > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2d::d, length 100
14:14:49.741381 IP6 2001:db8::dd95:3307:79b2:a757.51603 > 2001:dc3::35.22528: UDP, length 40
14:14:49.742342 IP6 2001:db8::dd95:3307:79b2:a757.62064 > 2001:dc3::35.22528: UDP, length 44
14:14:50.028567 IP6 2001:db8::dd95:3307:79b2:a757.54010 > 2001:503:ba3e::2:30.22528: UDP, length 40
14:14:50.032344 IP6 2001:db8::dd95:3307:79b2:a757.57140 > 2001:503:ba3e::2:30.22528: UDP, length 44
14:14:51.632386 IP6 2001:db8::dd95:3307:79b2:a757.62432 > 2001:503:c27::2:30.22528: UDP, length 40
14:14:51.633743 IP6 2001:db8::dd95:3307:79b2:a757.52796 > 2001:503:c27::2:30.22528: UDP, length 44
14:14:52.433507 IP6 2001:db8::dd95:3307:79b2:a757.57194 > 2001:500:2f::f.22528: UDP, length 40
14:14:52.435105 IP6 2001:db8::dd95:3307:79b2:a757.57332 > 2001:500:2f::f.22528: UDP, length 44
14:14:52.785775 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 96
14:14:52.785777 IP6 2001:500:2f::f > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:2f::f, length 100
14:14:52.788686 IP6 2001:db8::dd95:3307:79b2:a757.56104 > 2001:7fd::1.22528: UDP, length 40
14:14:52.790032 IP6 2001:db8::dd95:3307:79b2:a757.63639 > 2001:7fd::1.22528: UDP, length 44
14:14:53.590397 IP6 2001:db8::dd95:3307:79b2:a757.49935 > 2001:500:1::53.22528: UDP, length 40
14:14:53.591765 IP6 2001:db8::dd95:3307:79b2:a757.51261 > 2001:500:1::53.22528: UDP, length 44
14:14:53.899327 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 96
14:14:53.901268 IP6 2001:db8::dd95:3307:79b2:a757.63685 > 2001:500:9f::42.22528: UDP, length 40
14:14:53.903900 IP6 2001:500:1::53 > 2001:db8::dd95:3307:79b2:a757: ICMP6, destination unreachable, unreachable prohibited 2001:500:1::53, length 100
14:14:53.905799 IP6 2001:db8::dd95:3307:79b2:a757.65415 > 2001:500:9f::42.22528: UDP, length 44
14:14:54.703154 IP 10.53.0.3.51029 > 192.112.36.4.22528: UDP, length 40
14:14:54.706836 IP 10.53.0.3.55439 > 192.112.36.4.22528: UDP, length 44
14:14:55.504100 IP 10.53.0.3.55189 > 192.203.230.10.22528: UDP, length 40
14:14:55.507006 IP 10.53.0.3.58642 > 192.203.230.10.22528: UDP, length 44
14:14:56.304511 IP 10.53.0.3.57332 > 192.33.4.12.22528: UDP, length 40
14:14:56.306906 IP 10.53.0.3.52885 > 192.33.4.12.22528: UDP, length 44
14:14:56.702817 IP6 2001:db8::dd95:3307:79b2:a757.58720 > 2001:dc3::35.22528: UDP, length 52
14:14:56.704920 IP6 2001:db8::dd95:3307:79b2:a757.58724 > 2001:dc3::35.22528: UDP, length 40
14:14:56.989852 IP 10.53.0.3.49521 > 198.97.190.53.22528: UDP, length 52
14:14:56.996419 IP 10.53.0.3.62798 > 198.97.190.53.22528: UDP, length 40
14:14:57.792313 IP 10.53.0.3.59871 > 192.36.148.17.22528: UDP, length 52
14:14:57.797732 IP 10.53.0.3.55832 > 192.36.148.17.22528: UDP, length 40
14:14:58.593691 IP 10.53.0.3.54120 > 192.58.128.30.22528: UDP, length 52
14:14:58.597465 IP 10.53.0.3.53031 > 192.58.128.30.22528: UDP, length 40
14:14:59.397363 IP 10.53.0.3.49693 > 192.5.5.241.22528: UDP, length 40
14:15:00.198845 IP 10.53.0.3.55721 > 193.0.14.129.22528: UDP, length 40
14:15:01.803908 IP 10.53.0.3.50201 > 199.7.83.42.22528: UDP, length 40
14:15:02.605161 IP 10.53.0.3.57539 > 198.41.0.4.22528: UDP, length 40
14:15:03.405587 IP 10.53.0.3.65518 > 199.7.91.13.22528: UDP, length 40
14:15:04.206238 IP6 2001:db8::dd95:3307:79b2:a757.61835 > 2001:500:2::c.22528: UDP, length 40
14:15:05.007629 IP6 2001:db8::dd95:3307:79b2:a757.62904 > 2001:500:a8::e.22528: UDP, length 40
14:15:05.809837 IP6 2001:db8::dd95:3307:79b2:a757.55970 > 2001:500:12::d0d.22528: UDP, length 40
14:15:06.609019 IP 10.53.0.3.51541 > 202.12.27.33.22528: UDP, length 40
PASS: nsupdate
```March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Tom KrizekTom Krizekhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4441Make LRU memory-based cache cleaning compatible with ECS cache2023-12-20T15:19:05ZGreg ChoulesMake LRU memory-based cache cleaning compatible with ECS cacheThe structure of ECS cache means that non-ECS RRsets will tend to be preferred over ECS RRsets when LRU (Least Recently Used) cache cleaning is initiated when a cache size reaches configured max-cache-size
Essentially, LRU maintains a l...The structure of ECS cache means that non-ECS RRsets will tend to be preferred over ECS RRsets when LRU (Least Recently Used) cache cleaning is initiated when a cache size reaches configured max-cache-size
Essentially, LRU maintains a list of nodes as potential early-expire candidates based on when they were last accessed. When a node is accessed by a client query it drops to the bottom of the list. When named needs to expire some content early, in order to make room for more, it picks the node from the top of the list.
Enter ECS cache. Here we have, sitting attached to a single node, another dimension of variable size, depending on the range of clients querying for the same name where ECS has been enabled and also depending on the effective prefix size for the scoped RRsets sitting there. Every time we access that node to pull out (or add) an RRset, we move the node to the end of the LRU list. If there are a lot of different RRsets being maintained, even though some of them individually would have been candidates for LRU deletion, newer access/additions to the node will move it back to the bottom of the LRU list.
The outcome is that under cache memory pressure, we could end up expiring most of the other (usable!) cache content but never removing the older ECS-scoped content that has created the memory pressure in the first place. This could lead to:
1. Cache thrash and poor performance due to repeated adds and deletions of some important cache content.
2. Worst case - we seldom manage to complete the series of fetches needed to populate cache with the RRsets needed to answer a client query because the content is vanishing as fast as we put it in there.
3. Very worst case - we don't manage to prime the roots because as fast as we do, they're LRU-expiring again (or some other problem with getting them into cache to be used).
The mitigation (as it is anyway, for sites whose caches are over-constrained by max-cache-size) is to make sure that max-cache-size is large enough to prevent reaching the limit, other than exceptionally.
ECS cache, however, is much more vulnerable to becoming unusable under cache memory pressure because of the way that the ECS-scoped content drives up cache memory use but then fails to be managed effectively by LRU-cleaning, so we end up with 'islands' of untouched ECS cache and nothing much else.
We do need to fix this, but (perhaps) also make recommendations to users of ECS that they must increase max-cache-size when enabling ECS and then monitor, since reaching max-cache-size could be bad for their resolvers because cache cleaning in that situation is not as effective as for non-ECS caches.
Similarly we need to cater for multiple RDATA types for the same name being cached at the same node, since those are subject to the same problem, although mostly to a much lesser degree.
Relates to (now closed) Support case 00001412 [Single View broken](https://isc.lightning.force.com/lightning/r/Case/5007V00002ZSjxdQAD/view)December 2023 (9.18.21, 9.18.21-S1, 9.19.19)https://gitlab.isc.org/isc-projects/bind9/-/issues/4436nsupdate segfaults in tsiggss on FreeBSD 142024-03-22T12:19:44ZMichal Nowaknsupdate segfaults in tsiggss on FreeBSD 14`nsupdate` segfaults in the `tsiggss` system test on FreeBSD 14.0 on ~"v9.18" and ~"v9.16".
Here's a first crash in the system test. There are several more crashes afterward.
```
2023-11-15 12:20:53,799 INFO:tsiggss I:tsiggss_tm...`nsupdate` segfaults in the `tsiggss` system test on FreeBSD 14.0 on ~"v9.18" and ~"v9.16".
Here's a first crash in the system test. There are several more crashes afterward.
```
2023-11-15 12:20:53,799 INFO:tsiggss I:tsiggss_tmp_dk09tbmf:testing updates to testdc1 as administrator (1)
2023-11-15 12:20:53,800 INFO:tsiggss I:tsiggss_tmp_dk09tbmf:testing update for testdc1.example.nil. A 86400 A 10.53.0.10
2023-11-15 12:20:53,840 INFO:tsiggss Segmentation fault (core dumped)
2023-11-15 12:20:53,841 INFO:tsiggss I:tsiggss_tmp_dk09tbmf:update failed for testdc1.example.nil. A 86400 A 10.53.0.10
2023-11-15 12:20:53,841 INFO:tsiggss I:Reply from SOA query:
2023-11-15 12:20:53,841 INFO:tsiggss I:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47069
2023-11-15 12:20:53,842 INFO:tsiggss I:;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
2023-11-15 12:20:53,842 INFO:tsiggss I:;; QUESTION SECTION:
2023-11-15 12:20:53,842 INFO:tsiggss I:;testdc1.example.nil. IN SOA
2023-11-15 12:20:53,842 INFO:tsiggss I:
2023-11-15 12:20:53,842 INFO:tsiggss I:;; AUTHORITY SECTION:
2023-11-15 12:20:53,842 INFO:tsiggss I:example.nil. 0 IN SOA blu.example.nil. hostmaster.example.nil. 2010113027 172800 14400 3628800 604800
2023-11-15 12:20:53,842 INFO:tsiggss I:
2023-11-15 12:20:53,842 INFO:tsiggss I:Found zone name: example.nil
2023-11-15 12:20:53,842 INFO:tsiggss I:The primary is: blu.example.nil
2023-11-15 12:20:53,843 INFO:tsiggss I:start_gssrequest
2023-11-15 12:20:53,843 INFO:tsiggss I:Found realm from ticket: EXAMPLE.NIL
2023-11-15 12:20:53,843 INFO:tsiggss I:tsiggss_tmp_dk09tbmf:failed
```
Sample `nsupdate` backtrace:
```
Core was generated by `/root/bind9/bin/nsupdate/.libs/nsupdate -g -d ns1/update.txt'.
Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0 0x00000008316a1a0f in EVP_Cipher () from /lib/libcrypto.so.30
[Current thread is 1 (LWP 188477)]
#0 0x00000008316a1a0f in EVP_Cipher () from /lib/libcrypto.so.30
#1 0x000000082e96f4b6 in ?? () from /usr/lib/libkrb5.so.11
#2 0x000000082e973ac8 in krb5_encrypt_ivec () from /usr/lib/libkrb5.so.11
#3 0x000000082e973de5 in krb5_encrypt () from /usr/lib/libkrb5.so.11
#4 0x000000082e9675bf in _krb5_build_authenticator () from /usr/lib/libkrb5.so.11
#5 0x000000082dcff3f6 in ?? () from /usr/lib/libgssapi_krb5.so.10
#6 0x000000082dcfed0b in _gsskrb5_init_sec_context () from /usr/lib/libgssapi_krb5.so.10
#7 0x000000082d95bd4f in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#8 0x000000083ed613b6 in ?? () from /usr/lib/libgssapi_spnego.so.10
#9 0x000000083ed5f5c0 in _gss_spnego_indicate_mechtypelist () from /usr/lib/libgssapi_spnego.so.10
#10 0x000000083ed607ee in _gss_spnego_init_sec_context () from /usr/lib/libgssapi_spnego.so.10
#11 0x000000082d95bd4f in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#12 0x0000000822a308e5 in dst_gssapi_initctx (name=<optimized out>, intoken=intoken@entry=0x0, outtoken=outtoken@entry=0x83d56d700, gssctx=0x83d56e218, mctx=0x1aef866b3000, err_message=0x83d56e200) at gssapictx.c
#13 0x0000000822b0c9af in dns_tkey_buildgssquery (msg=0x1aef87203a80, name=0x2130e0 <fkname>, gname=0x1aef87234300, gname@entry=0x83d56d7a0, intoken=0x1aef872700f0, intoken@entry=0x0, lifetime=lifetime@entry=0, context=0xcf, context@entry=0x83d56e218, win2k=<optimized out>, mctx=0x1aef866b3000, err_message=0x83d56e200) at tkey.c
#14 0x000000000020e790 in start_gssrequest (primary=primary@entry=0x83d56e730) at nsupdate.c
#15 0x000000000020e33c in recvsoa (task=<optimized out>, event=0x0) at nsupdate.c
#16 0x0000000821c68370 in task_run (task=0x1aef8665c140) at task.c
#17 isc_task_run (task=0x1aef8665c140) at task.c
#18 0x0000000821c38689 in isc__nm_async_task (worker=worker@entry=0x1aef866d0000, ev0=0x1aef872700f0, ev0@entry=0x1aef8721c480) at netmgr/netmgr.c
#19 0x0000000821c32ec6 in process_netievent (worker=worker@entry=0x1aef866d0000, ievent=ievent@entry=0x1aef8721c480) at netmgr/netmgr.c
#20 0x0000000821c384f2 in process_queue (worker=worker@entry=0x1aef866d0000, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c
#21 0x0000000821c2e6bd in process_all_queues (worker=0x1aef866d0000) at netmgr/netmgr.c
#22 async_cb (handle=0x1aef866d02d8) at netmgr/netmgr.c
#23 0x0000000829b3c871 in ?? () from /usr/local/lib/libuv.so.1
#24 0x0000000829b4e0fd in ?? () from /usr/local/lib/libuv.so.1
#25 0x0000000829b3ce60 in uv_run () from /usr/local/lib/libuv.so.1
#26 0x0000000821c2e7ab in nm_thread (worker0=0x1aef866d0000) at netmgr/netmgr.c
#27 0x0000000821c70e46 in isc__trampoline_run (arg=0x1aef8662bb90) at trampoline.c
#28 0x00000008376e0a75 in ?? () from /lib/libthr.so.3
#29 0x0000000000000000 in ?? ()
```
```
BIND 9.18.21-dev (Extended Support Version) <id:ed78bc4>
running on FreeBSD amd64 14.0-RC2 FreeBSD 14.0-RC2 #0 releng/14.0-n265317-1d2ff5639925: Fri Oct 20 06:17:03 UTC 2023 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
built by make with '--disable-maintainer-mode' '--enable-developer' '--enable-option-checking=fatal' '--enable-dnstap' '--with-cmocka' '--with-libxml2' '--with-json-c' '--with-readline=libedit'
compiled by CLANG FreeBSD Clang 16.0.6 (https://github.com/llvm/llvm-project.git llvmorg-16.0.6-0-g7cbf1a259152)
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.46.0
linked to libuv version: 1.46.0
compiled with libnghttp2 version: 1.57.0
linked to libnghttp2 version: 1.57.0
compiled with libxml2 version: 2.10.4
linked to libxml2 version: 21004
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3
linked to zlib version: 1.3
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /usr/local/etc/named.conf
rndc configuration: /usr/local/etc/rndc.conf
DNSSEC root key: /usr/local/etc/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
named lock file: /usr/local/var/run/named/named.lock
geoip-directory: /usr/local/share/GeoIP
```
```
checking for krb5-config... /usr/bin/krb5-config
checking for gssapi libraries... -I/usr/include -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread
checking for gssapi/gssapi.h... yes
checking for gssapi/gssapi_krb5.h... yes
checking for gssapi_krb5.h... no
checking for gss_acquire_cred... yes
checking for krb5 libraries... -I/usr/include -L/usr/lib -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread
checking for krb5/krb5.h... no
checking for krb5.h... yes
checking for krb5_init_context... yes
```
[pytest.log.txt](/uploads/ca1a092b91023024d1c3215295837dd2/pytest.log.txt)
[core.43134-backtrace.txt](/uploads/dab5cd198e0e09345030257576a91602/core.43134-backtrace.txt)
[core.43041-backtrace.txt](/uploads/f40e49e3120623d207cd0ed5b8e93d0b/core.43041-backtrace.txt)
[core.44009-backtrace.txt](/uploads/c7c66927be73250c875443cdb6c70802/core.44009-backtrace.txt)
[core.43922-backtrace.txt](/uploads/e82cfe048701645b83c74af46773e7e1/core.43922-backtrace.txt)
[core.43252-backtrace.txt](/uploads/fdfe3109fd5b13b2f9b06f22ce0da585/core.43252-backtrace.txt)
[core.43094-backtrace.txt](/uploads/9c4a6c1e2e03753c9e71cbb5b7465ff8/core.43094-backtrace.txt)
[core.42986-backtrace.txt](/uploads/c964412aa69ad3fede8fb6cf8c9c1b5d/core.42986-backtrace.txt)
[core.42931-backtrace.txt](/uploads/6402826262a2210df3fc0bb39857813e/core.42931-backtrace.txt)
[nsupdate.out6](/uploads/bdda0082ecfb34190cec4e83a9c3f1d1/nsupdate.out6)
[nsupdate.out5](/uploads/df1a9bbff55030ce6093fea3750f08f0/nsupdate.out5)
[nsupdate.out8](/uploads/58f94412f56d2136472a3305f1b0f573/nsupdate.out8)
[nsupdate.out7](/uploads/28aa35d4d517296581d05630cae16b7d/nsupdate.out7)
[nsupdate.out4](/uploads/9ec2300228db0bf43e29609b88bfef9a/nsupdate.out4)
[nsupdate.out3](/uploads/4fcbf78e8cb9e5a356618123d0e97941/nsupdate.out3)
[nsupdate.out2](/uploads/46b5c9ce602f9bb99cb1673e72ab879d/nsupdate.out2)
[nsupdate.out11](/uploads/cb41ad3685b8d0f31315a5da05308044/nsupdate.out11)
[nsupdate.out10](/uploads/c1f8cbe2f93700b395ee9547658c66cd/nsupdate.out10)
[nsupdate.out1](/uploads/f77767f9b3e2d067f15bc1b121bd56cf/nsupdate.out1)December 2023 (9.18.21, 9.18.21-S1, 9.19.19)https://gitlab.isc.org/isc-projects/bind9/-/issues/4433Supplied Buffer Too Large in wire_test.c2023-12-06T18:22:03ZEric SesterhennSupplied Buffer Too Large in wire_test.cThe code in wire_test.c does provide an 64*1024 buffer to dns_message_renderbegin(). This might trigger an error in a corner case, where the code is expecting to receive buffers that are not larger than 65536 bytes.
~~~
if (result != IS...The code in wire_test.c does provide an 64*1024 buffer to dns_message_renderbegin(). This might trigger an error in a corner case, where the code is expecting to receive buffers that are not larger than 65536 bytes.
~~~
if (result != ISC_R_SUCCESS) {
INSIST(st.used < 65536);
dns_compress_rollback(
msg->cctx, (uint16_t)st.used);
*(msg->buffer) = st; /* rollback */
msg->buffer->length += msg->reserved;
msg->counts[sectionid] += total;
maybe_clear_ad(msg, sectionid);
return (result);
}
~~~December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4432Pointers Dereferenced before Being Checked2023-12-06T18:27:45ZEric SesterhennPointers Dereferenced before Being CheckedIn several places pointers are dereferenced before being checked against NULL. In the listing, the pointer mgr is dereferenced to assign worker and then checked for validity, which includes a NULL pointer check. In case mgr is NULL, inva...In several places pointers are dereferenced before being checked against NULL. In the listing, the pointer mgr is dereferenced to assign worker and then checked for validity, which includes a NULL pointer check. In case mgr is NULL, invalid memory is getting read which likely
leads to a crash instead of a more controlled abort.
~~~
void
isc_nm_streamdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local,
isc_sockaddr_t *peer, isc_nm_cb_t cb, void *cbarg,
unsigned int timeout, isc_tlsctx_t *ctx,
isc_tlsctx_client_session_cache_t *client_sess_cache) {
isc_nmsocket_t *nsock = NULL;
isc__networker_t *worker = &mgr->workers[isc_tid()];
REQUIRE(VALID_NM(mgr));
~~~
Similar code exists in isc_nm_listenstreamdns(), isc_nm_tcpconnect(), isc_nm_listentls(), isc_nm_tlsconnect(), isc_nm_tcpconnect() and isc_nm_udpconnect(). sock is used in a similar pattern in isc__nm_udp_send(). The stats pointer in dns_dnssecsignstats_increment()
and dns_dnssecsignstats_clear() is accessed in the same way.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4425Current level of tcp-clients missing from statistics channel2024-03-07T22:44:04ZDarren AnkneyCurrent level of tcp-clients missing from statistics channelThe current level of `tcp-clients` from `rndc status` as shown in this screen shot:
![my-test-server-rndc-status](/uploads/da8dfd7a94ae169a17003a006014e2b6/my-test-server-rndc-status.png)
Is not included in the json, nor xml output fro...The current level of `tcp-clients` from `rndc status` as shown in this screen shot:
![my-test-server-rndc-status](/uploads/da8dfd7a94ae169a17003a006014e2b6/my-test-server-rndc-status.png)
Is not included in the json, nor xml output from the statistics channel. Only `TCPConnHighWater` is included, which reports the max simultaneous TCP connections that existed at some point since BIND was started. The current level is not exposed anywhere in the stats channel that I could find. It is exposed, however, in `rndc status` as shown above. it seems reasonable that this statistic should be exposed for monitoring in the stats channel.
[SF1419](https://isc.lightning.force.com/lightning/r/Case/5007V00002Zh7IyQAJ/view)March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Aydın MercanAydın Mercanhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4423named starts up slow when many zones reference the same dnssec-policy2024-02-24T07:54:22ZMatthijs Mekkingmatthijs@isc.orgnamed starts up slow when many zones reference the same dnssec-policyWhile rolling out KASP to many zones, it is more efficient to use more DNSSEC policies in order to improve
reload/reconfig times.
When all zones or referenced by the same `dnssec-policy`, it takes quite some time to process all zones af...While rolling out KASP to many zones, it is more efficient to use more DNSSEC policies in order to improve
reload/reconfig times.
When all zones or referenced by the same `dnssec-policy`, it takes quite some time to process all zones after reload/reconfig and CPU usage of the named process remains at 100% and it takes quite a few minutes for named to start responding to queries after such a reload/reconfig request.
When spreading my zones to 10 identical policies, cpu usage goes well above 100% (using more threads I assume) and this is speeding
things up really nice.May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4421Remove support for AES-based DNS cookies and AES implementation2023-12-06T18:12:06ZEric SesterhennRemove support for AES-based DNS cookies and AES implementationThe legacy support for AES-based DNS cookies should go, which will resolve following:
> The functions `isc_aes256_crypt()` and `isc_aes192_crypt()` in `lib/isc/aes.c` have no callers besides test code and should be removed.
as we are g...The legacy support for AES-based DNS cookies should go, which will resolve following:
> The functions `isc_aes256_crypt()` and `isc_aes192_crypt()` in `lib/isc/aes.c` have no callers besides test code and should be removed.
as we are going to remove the AES implementation in libisc completely.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)https://gitlab.isc.org/isc-projects/bind9/-/issues/4417Stale hyperlinks in the ARM2023-12-04T10:02:12ZMatthijs Mekkingmatthijs@isc.orgStale hyperlinks in the ARMFrom bind-users:
https://bind9.readthedocs.io/en/v9.18.19/dnssec-guide.html
there's a link to
https://stats.research.icann.org/dns/tld_report/
which is no longer valid. New data seems to be here:
https://ithi.research.icann.or...From bind-users:
https://bind9.readthedocs.io/en/v9.18.19/dnssec-guide.html
there's a link to
https://stats.research.icann.org/dns/tld_report/
which is no longer valid. New data seems to be here:
https://ithi.research.icann.org/
ITHI == idenitifier technologies health indicators
how many TLDs support DNSSEC ?
https://ithi.research.icann.org/graph-m7.htmlDecember 2023 (9.18.21, 9.18.21-S1, 9.19.19)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4413Add RESINFO (261) type to named2024-03-20T13:50:45ZMark AndrewsAdd RESINFO (261) type to namedIt's a singleton, TXT clone. https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/It's a singleton, TXT clone. https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4406cleanup 'b' in dnstap-read main2023-11-07T10:27:34ZMark Andrewscleanup 'b' in dnstap-read main'b' is unused.'b' is unused.November 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4405deprecate/remove resolver-nonbackoff-tries, resolver-retry-interval2023-12-08T12:18:01ZEvan Huntdeprecate/remove resolver-nonbackoff-tries, resolver-retry-intervalThese options were added to `named` at the same time as serve-stale support. I suspect they were meant to be used for testing, but they weren't documented as test-only options (or, really, as anything else either - see #1687).
They are ...These options were added to `named` at the same time as serve-stale support. I suspect they were meant to be used for testing, but they weren't documented as test-only options (or, really, as anything else either - see #1687).
They are not, in fact, used in any of the system tests, and I can't think of a reason one would want to modify them in production. I suggest we remove them as of 9.20.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/4404Unexpected partial use of jemalloc by BIND (tested on 9.18.19-S1)2024-03-08T05:26:15ZCathy AlmondUnexpected partial use of jemalloc by BIND (tested on 9.18.19-S1)### Summary
As reported in case SF#1428:
====
I've been trying to use jemalloc to build BIND 9.18.x, and noticed something bit awkward that might not be intentional.
I've manually installed jemalloc 5.3.0, and then built BIND 9.18.19...### Summary
As reported in case SF#1428:
====
I've been trying to use jemalloc to build BIND 9.18.x, and noticed something bit awkward that might not be intentional.
I've manually installed jemalloc 5.3.0, and then built BIND 9.18.19-S1 with --with-jemalloc (which shouldn't be necessary but I wanted to make it explicit). It's indeed linked with libjemalloc:
```
root@c45a8371918a:/tmp/bind-9.18.19-S1# ldd bin/named/.libs/named
linux-vdso.so.1 (0x00007ffcb6bfe000)
libisc-9.18.19-S1.so => /usr/local/lib/libisc-9.18.19-S1.so (0x00007f6052fc6000)
libdns-9.18.19-S1.so => /usr/local/lib/libdns-9.18.19-S1.so (0x00007f6052b9f000)
libns-9.18.19-S1.so => /usr/local/lib/libns-9.18.19-S1.so (0x00007f605294e000)
libisccc-9.18.19-S1.so => /usr/local/lib/libisccc-9.18.19-S1.so (0x00007f6052745000)
libisccfg-9.18.19-S1.so => /usr/local/lib/libisccfg-9.18.19-S1.so (0x00007f605250f000)
libbind9-9.18.19-S1.so => /usr/local/lib/libbind9-9.18.19-S1.so (0x00007f60522f8000)
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f6051e2d000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f6051c27000)
libuv.so.1 => /usr/lib/x86_64-linux-gnu/libuv.so.1 (0x00007f6051a01000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f60517e4000)
libjson-c.so.3 => /lib/x86_64-linux-gnu/libjson-c.so.3 (0x00007f60515d9000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f60513ba000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6050fc9000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6050dc1000)
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f6050b34000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007f6050675000)
[...]
```
I then confirmed the call to malloc() in isc__trampoline_attach is the one defined in the standard libc (see the attached file). That seems to defeat the intent of this malloc call described in the comment:
```
/*
* Ensure every thread starts with a malloc() call to prevent memory
* bloat caused by a jemalloc quirk. While this dummy allocation is
* not used for anything, free() must not be immediately called for it
* so that an optimizing compiler does not strip away such a pair of
* malloc() + free() calls altogether, as it would foil the fix.
*/
```
I suspect this is because libc is seemingly loaded before libjemalloc (as shown in the above ldd output), and so libc's malloc is first found and used. isc_mem_xxx still uses jemalloc since it calls jemalloc's custom functions. Also, if I set LD_PRELOAD to /usr/local/lib/libjemalloc.so to run named, malloc defined in jemalloc is used in isc__trampoline_attach (and apparently anywhere else).
Now my question is: is this behavior intentional? I'm actually planning to set LD_PRELOAD for some other reasons, but if the current behavior is intentional (i.e., using libc's malloc/free etc for anywhere else than isc_mem_xxx), is there a reason why I "should not" set LD_PRELOAD?
### BIND version used
9.18.19-S1
### Steps to reproduce
See above
### What is the current *bug* behavior?
See above
### What is the expected *correct* behavior?
See above
### Relevant configuration files
See above
### Relevant logs and/or screenshots
See above
### Possible fixes
See aboveNovember 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4402Change system tests to not use dnssec-validation auto2024-01-08T17:22:40ZMatthijs Mekkingmatthijs@isc.orgChange system tests to not use dnssec-validation autoIt breaks all tests when root key rolls.It breaks all tests when root key rolls.January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)Mark AndrewsMark Andrews