BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2019-03-22T07:10:18Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/913ARM inconsistent: 'allow-update' can only be set per-zone, not in 'options'2019-03-22T07:10:18ZGhost UserARM inconsistent: 'allow-update' can only be set per-zone, not in 'options'<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
BIND 9.13 ARM seems to be inconsistent regarding which clauses can contain 'allow-update'. It lists 'allow-update' as possible statement in the 'options' clause [1], but further down excludes it from it in the detailed description of the statement. (It broke a formerly working named.conf in an update from 9.13.5-4 to 9.13.7-1 on arch linux. The statement was part of the named.conf that still is delivered by the distribution.)
[1] https://ftp.isc.org/isc/bind9/cur/9.13/doc/arm/Bv9ARM.ch05.html#options_grammar
### BIND version used
9.13.7-1
### Steps to reproduce
'allow-update' statement in options clause of named.conf
### What is the current *bug* behavior?
Inconsistent documentationBIND 9.14.1https://gitlab.isc.org/isc-projects/bind9/-/issues/965delv prints weird TTL values2019-04-10T05:24:46ZAnand Buddhdevdelv prints weird TTL values### Summary
The delv utility prints very large and weird-looking TTLs when the queried zone is unsigned.
### BIND version used
```
BIND 9.14.0 (Stable Release) <id:90df20a>
running on Darwin x86_64 18.5.0 Darwin Kernel Version...### Summary
The delv utility prints very large and weird-looking TTLs when the queried zone is unsigned.
### BIND version used
```
BIND 9.14.0 (Stable Release) <id:90df20a>
running on Darwin x86_64 18.5.0 Darwin Kernel Version 18.5.0: Mon Mar 11 20:40:32 PDT 2019; root:xnu-4903.251.3~3/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.0_2' '--enable-threads' '--enable-ipv6' '--with-openssl=/usr/local/opt/openssl' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.0_2/libexec/vendor/lib/python3.7/site-packages' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.14'
compiled by CLANG 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)
compiled with OpenSSL version: OpenSSL 1.0.2r 26 Feb 2019
linked to OpenSSL version: OpenSSL 1.0.2r 26 Feb 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled
default paths:
named configuration: /usr/local/Cellar/bind/9.14.0_2/etc/named.conf
rndc configuration: /usr/local/Cellar/bind/9.14.0_2/etc/rndc.conf
DNSSEC root key: /usr/local/Cellar/bind/9.14.0_2/etc/bind.keys
nsupdate session key: /usr/local/Cellar/bind/9.14.0_2/var/run/named/session.key
named PID file: /usr/local/Cellar/bind/9.14.0_2/var/run/named/named.pid
named lock file: /usr/local/Cellar/bind/9.14.0_2/var/run/named/named.lock
```
### Steps to reproduce
Run "delv google.com mx"
### What is the current *bug* behavior?
I see this:
```
; unsigned answer
google.com. 3200171710 IN MX 10 aspmx.l.google.com.
google.com. 3200171710 IN MX 20 alt1.aspmx.l.google.com.
google.com. 3200171710 IN MX 30 alt2.aspmx.l.google.com.
google.com. 3200171710 IN MX 40 alt3.aspmx.l.google.com.
google.com. 3200171710 IN MX 50 alt4.aspmx.l.google.com.
```
### What is the expected *correct* behavior?
I expect to see the correct TTL of 600 (or less) (as shown by dig):
```
;; ANSWER SECTION:
google.com. 295 IN MX 50 alt4.aspmx.l.google.com.
google.com. 295 IN MX 10 aspmx.l.google.com.
google.com. 295 IN MX 40 alt3.aspmx.l.google.com.
google.com. 295 IN MX 20 alt1.aspmx.l.google.com.
google.com. 295 IN MX 30 alt2.aspmx.l.google.com.
```
### Relevant configuration files
n/a
### Relevant logs and/or screenshots
n/a
### Possible fixes
don't knowhttps://gitlab.isc.org/isc-projects/bind9/-/issues/967Bind 9.11 Windows still requires msvcr110.dll for Bind to run2020-04-21T08:20:18ZGhost UserBind 9.11 Windows still requires msvcr110.dll for Bind to run<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
I noticed this on two of my servers details below. After installing Bind which also installs the Redistribute C++ 2017 x64.
named.exe would fail to start any of the exe files in the bin directory. It would popup saying msvcr110.dll was missing.
To fix this issue requires install of Visual C++ Redistribute for Visual Studio 2012 Update 4
### BIND version used
BIND 9.11.5-P4 (Extended Support Version)
### Steps to reproduce
Windows 2012 R2 Standard 64bit
### What is the current *bug* behavior?
named.exe doesn't run popups with a dialog saying MSVCR110.dll is missing
This occurs with any of the exe files in the bin folder when clicked on.
Example event viewer log
```
Faulting application name: named.exe, version: 0.0.0.0, time stamp: 0x5c58e77f
Faulting module name: MSVCR110.dll, version: 6.3.9600.19304, time stamp: 0x5c7f684f
Exception code: 0xc0000135
Fault offset: 0x00000000000ecf30
Faulting process id: 0x1528
Faulting application start time: 0x01d4e5dd7aa5623c
Faulting application path: c:\dns\bin\named.exe
Faulting module path: MSVCR110.dll
Report Id: b8604015-51d0-11e9-80e4-00163c261937
Faulting package full name:
Faulting package-relative application ID:
```
### What is the expected *correct* behavior?
Either make the build not require MSVCR110.dll or make the redistribute package for 2011 for Visual C++ be checked for/installed
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)February 2020 (9.11.16, 9.14.11, 9.16.0, 9.16.0-S)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/971DNS_CLIENTINFOMETHODS_VERSION bump to version 2 not merged in v9_11_sub2019-04-09T19:29:29ZOndřej SurýDNS_CLIENTINFOMETHODS_VERSION bump to version 2 not merged in v9_11_subSomewhere in the process of merging stuff to 9.11-S we failed to merge bump of DNS_CLIENTINFOMETHODS_VERSION to version 2 and that's causing DLZ modules to fail to process source IP address in the S-edition.Somewhere in the process of merging stuff to 9.11-S we failed to merge bump of DNS_CLIENTINFOMETHODS_VERSION to version 2 and that's causing DLZ modules to fail to process source IP address in the S-edition.BIND 9.11.6-S1Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/973Deadlock in RPZ update code2019-04-06T19:23:38ZWitold KrecickiDeadlock in RPZ update codeIn dns_rpz_update_from_db we call setup_update which creates the db iterator and calls dns_dbiterator_first. This unpauses the iterator and might cause db->tree_lock to be acquired. We then do isc_task_send(...) on an event to do quantum...In dns_rpz_update_from_db we call setup_update which creates the db iterator and calls dns_dbiterator_first. This unpauses the iterator and might cause db->tree_lock to be acquired. We then do isc_task_send(...) on an event to do quantum_update, which (correctly) after each iteration calls dns_dbiterator_pause, and re-isc_task_sends itself.
That's an obvious bug, as we're holding a lock over an async task send - if a task requesting write (e.g. prune_tree) is scheduled on the same workers queue as update_quantum but before it, it will wait for the write lock indefinitely, resulting in a deadlock.
To fix it we have to pause dbiterator in setup_update.BIND 9.14.1Witold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/1051[CVE-2019-6476] Bind randomly goes nuts with critical: exiting (due to assert...2019-10-16T21:10:10ZGhost User[CVE-2019-6476] Bind randomly goes nuts with critical: exiting (due to assertion failure)**Linux version 4.14.47-64.38.amzn2.x86_64 (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP**
**bind9.14.2**
general: critical: resolver.c:4908: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: criti...**Linux version 4.14.47-64.38.amzn2.x86_64 (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP**
**bind9.14.2**
general: critical: resolver.c:4908: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
### Summary
(Summarize the bug encountered concisely.)
### BIND version used
BIND 9.14.2 (Stable Release) <id:7a62b30>
running on Linux x86_64 4.14.114-103.97.amzn2.x86_64 #1 SMP Sun Apr 28 03:59:40 UTC 2019
built by make with '-prefix=/var/named' '--enable-threads' '--enable-epoll' '--enable-fetchlimi' '--disable-openssl-version-check' '--with-dlz-filesystem'
compiled by GCC 7.3.1 20180303 (Red Hat 7.3.1-5)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /var/named/etc/named.conf
rndc configuration: /var/named/etc/rndc.conf
DNSSEC root key: /var/named/etc/bind.keys
nsupdate session key: /var/named/var/run/named/session.key
named PID file: /var/named/var/run/named/named.pid
named lock file: /var/named/var/run/named/named.lock
### Steps to reproduce
After the program has been running for some time
### What is the current *bug* behavior?
Bind randomly goes nuts with critical: exiting (due to assertion failure)
### What is the expected *correct* behavior?
(What you should see instead.)
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)
/label ~bug
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders
October 2019 (9.11.12, 9.14.7, 9.15.5)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1064Adding --enable-pthread-rwlock broke Windows build2019-06-05T18:29:42ZMichał KępieńAdding --enable-pthread-rwlock broke Windows build!1397 broke the Windows build:
https://jenkins.isc.org/view/BIND_Parameterized/job/bind9-parameterized-win2012-x64/306/console
(Here is a build of the same commit as above, but with !1397 reverted: https://jenkins.isc.org/view/BIND_Par...!1397 broke the Windows build:
https://jenkins.isc.org/view/BIND_Parameterized/job/bind9-parameterized-win2012-x64/306/console
(Here is a build of the same commit as above, but with !1397 reverted: https://jenkins.isc.org/view/BIND_Parameterized/job/bind9-parameterized-win2012-x64/307/console)
This needs to be fixed before 9.15.1 is tagged (i.e. within the next week).BIND 9.15.1Witold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/1082Detecting conflicts between static and initializing keys is unreliable2019-06-11T01:56:57ZMichał KępieńDetecting conflicts between static and initializing keys is unreliableThe code checking for both static keys and initializing keys being configured for the same domain is unreliable because it [calls][1] `isc_symtab_define()` with the `key` parameter pointing to a stack-allocated variable. Meanwhile, symt...The code checking for both static keys and initializing keys being configured for the same domain is unreliable because it [calls][1] `isc_symtab_define()` with the `key` parameter pointing to a stack-allocated variable. Meanwhile, symtab docs [say][2]:
> The symbol table library does not make a copy the key field, so the
> caller must ensure that any key it passes to isc_symtab_define() will not
> change until it calls isc_symtab_undefine() or isc_symtab_destroy().
This issue manifests itself e.g. by `named-checkconf` [failing to raise a configuration error][3] for at least some configurations which intentionally contain both static and initializing keys for the same domain (e.g. `bin/tests/system/checkconf/bad-duplicate-key.conf`). If the `namebuf` local variable in `record_static_keys()` has a close, but not identical address as the `namebuf` local variable in `check_initializing_keys()`, lookups for previously defined symtab entries will fail when they should succeed - but this is just one possible failure mode.
The solution here is to ensure what the docs ask the developer to ensure (e.g. use `isc_mem_strdup()` for the keys passed to `isc_symtab_define()` and then clean the copies up properly when `isc_mem_destroy()` is called).
[1]: https://gitlab.isc.org/isc-projects/bind9/blob/90ff5a551aa6ba4340ae45f6ff3a97b3141d8b5c/lib/bind9/check.c#L3288-3289
[2]: https://gitlab.isc.org/isc-projects/bind9/blob/90ff5a551aa6ba4340ae45f6ff3a97b3141d8b5c/lib/isc/include/isc/symtab.h#L45-47
[3]: https://jenkins.isc.org/job/bind9-test-release-tarball/label=fedora-32-latest/22/testReport/junit/bind/system/checkconf/BIND 9.15.1https://gitlab.isc.org/isc-projects/bind9/-/issues/1087RBTDB rrset statistics might have underflow in certain scenarios2022-02-10T17:21:21ZWitold KrecickiRBTDB rrset statistics might have underflow in certain scenariosSeptember 2020 (9.11.23, 9.11.23-S1, 9.16.7, 9.17.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1088DNSSEC system test succeeds even when one of named processes dumps core2019-06-18T07:55:21ZWitold KrecickiDNSSEC system test succeeds even when one of named processes dumps coreMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1092Root servers not returning glue in priming queries2019-06-26T16:15:02ZRay BellisRoot servers not returning glue in priming queriesThere are reports from RSOs that they are unable to configure BIND 9.12 and 9.14 to correctly return the required glue in response to a priming query.There are reports from RSOs that they are unable to configure BIND 9.12 and 9.14 to correctly return the required glue in response to a priming query.https://gitlab.isc.org/isc-projects/bind9/-/issues/1109zone loading errors can be ignored when reloading inline-signing zones2019-06-27T22:52:29ZEvan Huntzone loading errors can be ignored when reloading inline-signing zones@dmahoney reported an odd error when trying to reload an inline-signing zone with a missing include file. The unsigned zone failed to load (as expected) but then it was still synced over to the signed zone, resulting in a loss of records...@dmahoney reported an odd error when trying to reload an inline-signing zone with a missing include file. The unsigned zone failed to load (as expected) but then it was still synced over to the signed zone, resulting in a loss of records.
This turns out to be because the result code from the reloading of the unsigned zone file (`ISC_R_FILENOTFOUND`) gets stomped on before we called `zone_postload()`, which then acts as if the reloading was successful and synchronizes the partially-loaded raw zone database into the signed zone database.
Once this error condition occurs there's no way to recover except blow away the signed zone and the unsigned journal and start over again.BIND 9.15.2Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1114GeoIP2 support breaks compilation on Windows2019-07-03T16:53:20ZMichał KępieńGeoIP2 support breaks compilation on Windows```
c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-vs2017\lib\dns\include\dns\geoip.h(110): error C2016: C requires that a struct or union has at least one member [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-...```
c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-vs2017\lib\dns\include\dns\geoip.h(110): error C2016: C requires that a struct or union has at least one member [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-vs2017\lib\ns\win32\libns.vcxproj]
```
https://jenkins.isc.org/job/bind9-master-win2012-x64-vs2017/247/BIND 9.15.2https://gitlab.isc.org/isc-projects/bind9/-/issues/1168[CVE-2019-6476] bind9.14.4,bind9.15.2 also Crash on centos7.6(source dist)2019-10-16T21:10:17ZGhost User[CVE-2019-6476] bind9.14.4,bind9.15.2 also Crash on centos7.6(source dist)
The new version i compiled ,it could work for a night,but this moring i found bind9.14.4 stopped its work at Jul 24 09:54:12 ,bind‘s log is below:
```
24-Jul-2019 09:54:05.652 queries: client @0x7f23d0029900 172.31.0.254#4157 (dns.weixi...
The new version i compiled ,it could work for a night,but this moring i found bind9.14.4 stopped its work at Jul 24 09:54:12 ,bind‘s log is below:
```
24-Jul-2019 09:54:05.652 queries: client @0x7f23d0029900 172.31.0.254#4157 (dns.weixin.qq.com): view internal: query: dns.weixin.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.064 queries: client @0x7f24302f2e90 172.31.0.254#24737 (commdata.v.qq.com): view internal: query: commdata.v.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.368 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.w3.org): view internal: query: www.w3.org IN A + (172.31.0.215)
24-Jul-2019 09:54:06.874 queries: client @0x7f242000c490 172.31.0.254#51568 (captive.apple.com): view internal: query: captive.apple.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.915 queries: client @0x7f243025f910 172.31.0.254#10965 (sngmta.qq.com): view internal: query: sngmta.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.379 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.google.com): view internal: query: www.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f243029a810 172.31.0.254#24313 (commdata.v.qq.com): view internal: query: commdata.v.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f24302e42d0 172.31.0.254#6291 (vv.video.qq.com): view internal: query: vv.video.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f2430377850 172.31.0.254#20463 (sdksp.video.qq.com): view internal: query: sdksp.video.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.664 queries: client @0x7f23dc00bbe0 172.31.0.254#51632 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.742 queries: client @0x7f2430224a10 172.31.0.254#4210 (btrace.qq.com): view internal: query: btrace.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.910 queries: client @0x7f243025f910 172.31.0.254#15511 (imgcache.qq.com): view internal: query: imgcache.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.390 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.tplink.com): view internal: query: www.tplink.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.482 queries: client @0x7f241c028c50 172.31.0.254#19129 (mdevstat.qqlive.qq.com): view internal: query: mdevstat.qqlive.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.814 queries: client @0x7f2430310610 172.31.0.254#11047 (mazu.3g.qq.com): view internal: query: mazu.3g.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.842 queries: client @0x7f24302a93d0 172.31.0.254#43701 (a.root-servers.net): view internal: query: a.root-servers.net IN A + (172.31.0.215)
24-Jul-2019 09:54:09.045 queries: client @0x7f2430386410 172.31.0.254#15492 (connectivitycheck.platform.hicloud.com): view internal: query: connectivitycheck.platform.hicloud.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.401 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.qq.com): view internal: query: www.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.715 queries: client @0x7f243034b510 172.31.0.254#58245 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.785 queries: client @0x7f243034b510 211.139.181.230#60101 (www.mydomain.com): view external: query: www.mydomain.com IN A -E(0)DCK (172.31.0.215)
24-Jul-2019 09:54:10.412 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.ieee.org): view internal: query: www.ieee.org IN A + (172.31.0.215)
24-Jul-2019 09:54:10.645 queries: client @0x7f23e8010ae0 172.31.0.254#701 (playlog.youku.com): view internal: query: playlog.youku.com IN A + (172.31.0.215)
24-Jul-2019 09:54:10.701 queries: client @0x7f243029a810 172.31.0.254#52441 (mazu-mmgr.3g.qq.com): view internal: query: mazu-mmgr.3g.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:10.923 queries: client @0x7f24302a93d0 172.31.0.254#11208 (clients1.google.com): view internal: query: clients1.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.378 queries: client @0x7f2430301a50 172.31.0.254#53235 (mb.yidianzixun.com): view internal: query: mb.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.422 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.w3.org): view internal: query: www.w3.org IN A + (172.31.0.215)
24-Jul-2019 09:54:11.609 queries: client @0x7f2430250d50 172.31.0.254#37700 (staticimg.yidianzixun.com): view internal: query: staticimg.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.610 queries: client @0x7f23d801a200 172.31.0.254#56234 (static1.yidianzixun.com): view internal: query: static1.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.612 queries: client @0x7f2400029360 172.31.0.254#34401 (static.yidianzixun.com): view internal: query: static.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.764 queries: client @0x7f2430de9e20 172.31.0.254#48701 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.835 queries: client @0x7f23d000b640 172.31.0.254#39876 (www.google.com): view internal: query: www.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.899 queries: client @0x7f24302b7f90 172.31.0.254#63406 (pool.ntp.org): view internal: query: pool.ntp.org IN A + (172.31.0.215)
24-Jul-2019 09:54:12.003 queries: client @0x7f2430242190 172.31.0.254#45255 (oth.str.mdt.qq.com): view internal: query: oth.str.mdt.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:12.003 queries: client @0x7f23d800b640 172.31.0.254#53639 (oth.eve.mdt.qq.com): view internal: query: oth.eve.mdt.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:12.021 queries: client @0x7f2430de9e20 172.31.0.254#47907 (184.123.207.140.in-addr.arpa): view internal: query: 184.123.207.140.in-addr.arpa IN PTR + (172.31.0.215)
24-Jul-2019 09:54:12.028 queries: client @0x7f2430368c90 172.31.0.254#39072 (166.76.226.101.in-addr.arpa): view internal: query: 166.76.226.101.in-addr.arpa IN PTR + (172.31.0.215)
```
this time the log did not show the info "exiting (due to assertion failure)",but the info appeared in Syslog:
```
Jul 24 09:10:29 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/A/IN': 202.102.128.68#53
Jul 24 09:14:20 localhost named[20102]: timed out resolving 'guazi-vod.guazistatic.com.bsgslb.cn/A/IN': 219.146.1.66#53
Jul 24 09:14:47 localhost named[20102]: timed out resolving 'zs-stcmchina-com.cname.saaswaf.com/A/IN': 219.147.1.66#53
Jul 24 09:16:31 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/CNAME/IN': 219.147.1.66#53
Jul 24 09:16:32 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/CNAME/IN': 219.146.1.66#53
Jul 24 09:17:23 localhost named[20102]: client @0x7f2400029360 171.13.14.59#34784 (tjapi.news.so.com): view external: query failed (REFUSED) for tjapi.news.so.com/IN/A at query.c:5365
Jul 24 09:17:26 localhost named[20102]: client @0x7f243028bc50 171.13.14.37#29384 (dl.360safe.com): view external: query failed (REFUSED) for dl.360safe.com/IN/A at query.c:5365
Jul 24 09:17:29 localhost named[20102]: client @0x7f24200274f0 171.13.14.44#27816 (www.jumei.com): view external: query failed (REFUSED) for www.jumei.com/IN/A at query.c:5365
Jul 24 09:17:32 localhost named[20102]: client @0x7f2430de9e20 171.13.14.59#64416 (weibo.com): view external: query failed (REFUSED) for weibo.com/IN/A at query.c:5365
Jul 24 09:17:32 localhost named[20102]: timed out resolving 'd2k03kvdk5cku0.cloudfront.net/A/IN': 219.146.1.66#53
Jul 24 09:17:35 localhost named[20102]: client @0x7f243034b510 171.13.14.60#50928 (web.sogou.com): view external: query failed (REFUSED) for web.sogou.com/IN/A at query.c:5365
Jul 24 09:17:38 localhost named[20102]: client @0x7f241c037c50 171.13.14.62#2280 (www.duba.com): view external: query failed (REFUSED) for www.duba.com/IN/A at query.c:5365
Jul 24 09:17:41 localhost named[20102]: client @0x7f24302c6b50 171.13.14.40#44808 (hao.360.cn): view external: query failed (REFUSED) for hao.360.cn/IN/A at query.c:5365
Jul 24 09:17:44 localhost named[20102]: client @0x7f23e400faa0 171.13.14.50#15880 (www.360.cn): view external: query failed (REFUSED) for www.360.cn/IN/A at query.c:5365
Jul 24 09:17:47 localhost named[20102]: client @0x7f24302f2e90 171.13.14.53#56280 (tuan.360.cn): view external: query failed (REFUSED) for tuan.360.cn/IN/A at query.c:5365
Jul 24 09:17:51 localhost named[20102]: client @0x7f243032dd90 171.13.14.39#58632 (www.btime.com): view external: query failed (REFUSED) for www.btime.com/IN/A at query.c:5365
Jul 24 09:17:54 localhost named[20102]: client @0x7f243032dd90 171.13.14.59#41280 (v.360.cn): view external: query failed (REFUSED) for v.360.cn/IN/A at query.c:5365
Jul 24 09:17:57 localhost named[20102]: client @0x7f243032dd90 171.13.14.54#3360 (softdl.360tpcdn.com): view external: query failed (REFUSED) for softdl.360tpcdn.com/IN/A at query.c:5365
Jul 24 09:18:00 localhost named[20102]: client @0x7f2430301a50 171.13.14.39#25016 (click.union.vip.com): view external: query failed (REFUSED) for click.union.vip.com/IN/A at query.c:5365
Jul 24 09:18:03 localhost named[20102]: client @0x7f2430301a50 171.13.14.35#13512 (www.baidu.com): view external: query failed (REFUSED) for www.baidu.com/IN/A at query.c:5365
Jul 24 09:18:06 localhost named[20102]: client @0x7f23d000b640 171.13.14.47#11960 (www.114la.com): view external: query failed (REFUSED) for www.114la.com/IN/A at query.c:5365
Jul 24 09:18:09 localhost named[20102]: client @0x7f24302c6b50 171.13.14.53#61384 (www.haosou.com): view external: query failed (REFUSED) for www.haosou.com/IN/A at query.c:5365
Jul 24 09:18:12 localhost named[20102]: client @0x7f24302c6b50 171.13.14.57#20856 (so.360.cn): view external: query failed (REFUSED) for so.360.cn/IN/A at query.c:5365
Jul 24 09:18:15 localhost named[20102]: client @0x7f23d801a200 171.13.14.60#9496 (bizhi.360.cn): view external: query failed (REFUSED) for bizhi.360.cn/IN/A at query.c:5365
Jul 24 09:18:18 localhost named[20102]: client @0x7f241c00fc00 171.13.14.38#51168 (bbs.webscan.360.cn): view external: query failed (REFUSED) for bbs.webscan.360.cn/IN/A at query.c:5365
Jul 24 09:18:21 localhost named[20102]: client @0x7f241c028c50 171.13.14.39#64280 (v.sj.360.cn): view external: query failed (REFUSED) for v.sj.360.cn/IN/A at query.c:5365
Jul 24 09:18:24 localhost named[20102]: client @0x7f23d0029900 171.13.14.44#47928 (ai.taobao.com): view external: query failed (REFUSED) for ai.taobao.com/IN/A at query.c:5365
Jul 24 09:18:27 localhost named[20102]: client @0x7f23d0029900 171.13.14.50#25656 (www.hao123.com): view external: query failed (REFUSED) for www.hao123.com/IN/A at query.c:5365
Jul 24 09:18:30 localhost named[20102]: client @0x7f23e8010ae0 171.13.14.57#30632 (hao.qq.com): view external: query failed (REFUSED) for hao.qq.com/IN/A at query.c:5365
Jul 24 09:18:33 localhost named[20102]: client @0x7f241c037c50 171.13.14.58#41176 (123.chinaso.com): view external: query failed (REFUSED) for 123.chinaso.com/IN/A at query.c:5365
Jul 24 09:18:36 localhost named[20102]: client @0x7f243028bc50 171.13.14.41#11968 (soft.360.cn): view external: query failed (REFUSED) for soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:39 localhost named[20102]: client @0x7f240001a200 171.13.14.53#1128 (cdn.soft.360.cn): view external: query failed (REFUSED) for cdn.soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:42 localhost named[20102]: client @0x7f2420035f50 171.13.14.47#21688 (www.360kan.com): view external: query failed (REFUSED) for www.360kan.com/IN/A at query.c:5365
Jul 24 09:18:45 localhost named[20102]: client @0x7f2420035f50 171.13.14.46#46912 (jumpluna.58.com): view external: query failed (REFUSED) for jumpluna.58.com/IN/A at query.c:5365
Jul 24 09:18:48 localhost named[20102]: client @0x7f242000c490 171.13.14.62#42496 (s.click.taobao.com): view external: query failed (REFUSED) for s.click.taobao.com/IN/A at query.c:5365
Jul 24 09:18:51 localhost named[20102]: client @0x7f243029a810 171.13.14.49#50768 (123.sogou.com): view external: query failed (REFUSED) for 123.sogou.com/IN/A at query.c:5365
Jul 24 09:18:54 localhost named[20102]: client @0x7f2430310610 171.13.14.37#4656 (cx.soft.360.cn): view external: query failed (REFUSED) for cx.soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:58 localhost named[20102]: client @0x7f2430310610 171.13.14.45#58960 (big.softdl.360tpcdn.com): view external: query failed (REFUSED) for big.softdl.360tpcdn.com/IN/A at query.c:5365
Jul 24 09:19:01 localhost named[20102]: client @0x7f23d8029900 171.13.14.50#17880 (down.360safe.com): view external: query failed (REFUSED) for down.360safe.com/IN/A at query.c:5365
Jul 24 09:19:04 localhost named[20102]: client @0x7f243031f1d0 171.13.14.48#40544 (intf.soft.360.cn): view external: query failed (REFUSED) for intf.soft.360.cn/IN/A at query.c:5365
Jul 24 09:19:07 localhost named[20102]: client @0x7f240000b640 171.13.14.61#53840 (www.chinaso.com): view external: query failed (REFUSED) for www.chinaso.com/IN/A at query.c:5365
Jul 24 09:19:10 localhost named[20102]: client @0x7f243028bc50 171.13.14.40#48392 (www.huajiao.com): view external: query failed (REFUSED) for www.huajiao.com/IN/A at query.c:5365
Jul 24 09:19:13 localhost named[20102]: client @0x7f240000b640 171.13.14.42#18720 (www.2345.com): view external: query failed (REFUSED) for www.2345.com/IN/A at query.c:5365
Jul 24 09:19:16 localhost named[20102]: client @0x7f24302d5710 171.13.14.54#34800 (www.uc123.com): view external: query failed (REFUSED) for www.uc123.com/IN/A at query.c:5365
Jul 24 09:19:19 localhost named[20102]: client @0x7f2430224a10 171.13.14.38#6968 (123.duba.net): view external: query failed (REFUSED) for 123.duba.net/IN/A at query.c:5365
Jul 24 09:19:22 localhost named[20102]: client @0x7f243025f910 171.13.14.54#6824 (www.sogou.com): view external: query failed (REFUSED) for www.sogou.com/IN/A at query.c:5365
Jul 24 09:19:25 localhost named[20102]: client @0x7f23e8010ae0 171.13.14.45#52352 (www.so.com): view external: query failed (REFUSED) for www.so.com/IN/A at query.c:5365
Jul 24 09:19:28 localhost named[20102]: client @0x7f243034b510 171.13.14.35#36240 (update.360safe.com): view external: query failed (REFUSED) for update.360safe.com/IN/A at query.c:5365
Jul 24 09:19:31 localhost named[20102]: client @0x7f24302d5710 171.13.14.39#30008 (baoku.360.cn): view external: query failed (REFUSED) for baoku.360.cn/IN/A at query.c:5365
Jul 24 09:19:34 localhost named[20102]: client @0x7f243025f910 171.13.14.45#4536 (speedball.xyx.wan.360.cn): view external: query failed (REFUSED) for speedball.xyx.wan.360.cn/IN/A at query.c:5365
Jul 24 09:19:37 localhost named[20102]: client @0x7f243035a0d0 171.13.14.54#39600 (yule.360.cn): view external: query failed (REFUSED) for yule.360.cn/IN/A at query.c:5365
Jul 24 09:19:40 localhost named[20102]: client @0x7f23dc00bbe0 171.13.14.45#37112 (union.click.jd.com): view external: query failed (REFUSED) for union.click.jd.com/IN/A at query.c:5365
Jul 24 09:19:43 localhost named[20102]: client @0x7f240000b640 171.13.14.60#27992 (daohang.qq.com): view external: query failed (REFUSED) for daohang.qq.com/IN/A at query.c:5365
Jul 24 09:19:59 localhost named[20102]: timed out resolving 'p2.ssl.qhimg.com/A/IN': 202.102.128.68#53
Jul 24 09:20:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:20:01 localhost systemd: Started Session 6112 of user root.
Jul 24 09:20:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:21:04 localhost named[20102]: timed out resolving 'www.ieee.org/CNAME/IN': 202.102.128.68#53
Jul 24 09:21:57 localhost named[20102]: client @0x7f2430242190 74.82.47.50#12222 (dnsscan.shadowserver.org): view external: query failed (REFUSED) for dnsscan.shadowserver.org/IN/A at query.c:5365
Jul 24 09:22:16 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:22:17 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:24:06 localhost named[20102]: timed out resolving 'cms.jinan.cn/A/IN': 219.147.1.66#53
Jul 24 09:25:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:25:01 localhost systemd: Started Session 6113 of user pcp.
Jul 24 09:25:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:25:38 localhost named[20102]: timed out resolving 'reg.hao.360.cn/A/IN': 202.102.128.68#53
Jul 24 09:25:38 localhost named[20102]: timed out resolving 'h2m.dmp.360.cn/A/IN': 202.102.128.68#53
Jul 24 09:28:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:28:01 localhost systemd: Started Session 6114 of user pcp.
Jul 24 09:28:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:30:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:30:01 localhost systemd: Started Session 6116 of user pcp.
Jul 24 09:30:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:30:01 localhost systemd: Started Session 6115 of user root.
Jul 24 09:30:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:30:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:30:06 localhost named[20102]: timed out resolving 'wpad.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:30:59 localhost named[20102]: timed out resolving 'livetileedge.xbetservices.akadns.net/A/IN': 202.102.128.68#53
Jul 24 09:31:17 localhost named[20102]: timed out resolving 'www.google.cn/A/IN': 219.147.1.66#53
Jul 24 09:36:14 localhost named[20102]: timed out resolving 'mobilepics.ws.126.net.bsgslb.cn/A/IN': 202.102.128.68#53
Jul 24 09:37:10 localhost systemd-logind: New session 6117 of user hbh.
Jul 24 09:37:10 localhost systemd: Started Session 6117 of user hbh.
Jul 24 09:37:10 localhost dbus[8700]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul 24 09:37:11 localhost dbus[8700]: [system] Successfully activated service 'org.freedesktop.problems'
Jul 24 09:37:19 localhost dbus[8700]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'
Jul 24 09:37:19 localhost systemd: Starting Fingerprint Authentication Daemon...
Jul 24 09:37:19 localhost dbus[8700]: [system] Successfully activated service 'net.reactivated.Fprint'
Jul 24 09:37:19 localhost systemd: Started Fingerprint Authentication Daemon.
Jul 24 09:37:29 localhost su: (to root) hbh on pts/1
Jul 24 09:38:23 localhost named[20102]: client @0x7f23d800b640 1.192.90.183#11759 (www.ipplus360.com): view external: query failed (REFUSED) for www.ipplus360.com/IN/A at query.c:5365
Jul 24 09:38:24 localhost named[20102]: client @0x7f24302d5710 1.192.90.183#47631 (asijeicjaiowjojaoiejfa.com): view external: query failed (REFUSED) for asijeicjaiowjojaoiejfa.com/IN/A at query.c:5365
Jul 24 09:39:28 localhost named[20102]: timed out resolving '8.e.e.0.0.2.a.7.f.d.2.7.8.7.a.9.3.1.6.6.4.c.0.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:40:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:40:01 localhost systemd: Started Session 6118 of user root.
Jul 24 09:40:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:41:51 localhost systemd-logind: New session 6119 of user hbh.
Jul 24 09:41:51 localhost systemd: Started Session 6119 of user hbh.
Jul 24 09:41:52 localhost dbus[8700]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul 24 09:41:52 localhost dbus[8700]: [system] Successfully activated service 'org.freedesktop.problems'
Jul 24 09:41:59 localhost systemd-logind: Removed session 6119.
Jul 24 09:42:13 localhost systemd-logind: Removed session 6117.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_START Starting lease file cleanup
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_PROCESSING Previous file: /usr/local/kea/var/kea/kea-leases6.csv.2, copy file: /usr/local/kea/var/kea/kea-leases6.csv.1
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC.dhcpsrv] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /usr/local/kea/var/kea/kea-leases6.csv.2
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC.dhcpsrv] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /usr/local/kea/var/kea/kea-leases6.csv.1
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_READ_STATS Leases: 0, attempts: 2, errors: 0.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_WRITE_STATS Leases: 0, attempts: 0, errors: 0.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_ROTATING LFC rotating files
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_TERMINATE LFC finished processing
Jul 24 09:46:17 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:46:18 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:47:47 localhost named[20102]: timed out resolving 'jprx.m.qq.com/A/IN': 219.146.1.66#53
Jul 24 09:50:02 localhost systemd: Created slice User Slice of root.
Jul 24 09:50:02 localhost systemd: Started Session 6120 of user root.
Jul 24 09:50:02 localhost systemd: Removed slice User Slice of root.
Jul 24 09:50:11 localhost named[20102]: timed out resolving 'wpad.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:52:32 localhost named[20102]: timed out resolving '2.5.8.2.d.7.9.0.8.e.5.5.3.4.5.4.6.4.1.3.4.e.2.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:52:33 localhost named[20102]: timed out resolving '2.5.8.2.d.7.9.0.8.e.5.5.3.4.5.4.6.4.1.3.4.e.2.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 219.147.1.66#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 202.102.128.68#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 219.147.1.66#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 219.147.1.66#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 219.146.1.66#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 219.146.1.66#53
Jul 24 09:54:12 localhost named[20102]: resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
Jul 24 09:54:12 localhost named[20102]: exiting (due to assertion failure)
```
then it died.
my configurations about bind are below:
```
named.conf:
acl "trusted"{
127.0.0.1/32;
218.57.138.208/28;
58.56.105.64/28;
192.168.0.0/16;
172.0.0.0/8;
173.0.0.0/8;
174.20.0.0/16;
193.0.0.0/8;
10.4.0.0/18;
};
#logging {
# channel query_log {
# file "query.log" versions 5 size 20m;
# #severity info;
# severity debug 10;
# print-time yes;
# print-category yes;
# };
# category queries {
# query_log;
# };
#};
options {
version "DNSSERVER1.1.1";
directory "/etc/named";
listen-on {172.31.0.215;127.0.0.1;};
forwarders {202.102.128.68;219.146.1.66;219.147.1.66;};
forward first;
#forward only;
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
recursion no;
allow-recursion {none;};
dnssec-enable no;
dnssec-validation no;
};
controls {
inet 127.0.0.1 port 953 allow {localhost;} keys {rndc_key;};
};
include "/etc/rndc.key";
view "internal" {
match-clients {trusted;};
recursion yes;
allow-recursion {trusted;};
#match-clients {any;};
#allow-recursion {any;};
zone "mydomain.com" {
type master;
file "db.mydomain.in";
};
zone "0.0.127.in-addr.arpa"{
type master;
file "db.127.0.0";
allow-update {none;};
allow-query {none;};
};
zone "138.57.218.in-addr.arpa"{
type master;
file "db.218.57.138";
};
zone "localhost" {
type master;
file "db.local";
};
zone "." {
type hint;
file "db.root";
};
};
view "external" {
match-clients {any;};
recursion no;
allow-recursion {none;};
zone "mydomain.com" {
type master;
file "db.mydomain.ex";
};
zone "138.57.218.in-addr.arpa"{
type master;
file "db.218.57.138";
};
zone "105.56.58.in-addr.arpa"{
type master;
file "db.58.56.105";
};
};
```
```
db.218.57.
TTL 600 ; 1 hour
138.57.218.in-addr.arpa IN SOA ns3.mydomain.com dns.mydomain.com. (
18 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.mydomain.com.
NS ns2.mydomain.com.
NS ns3.mydomain.com.
$ORIGIN 138.57.218.in-addr.arpa.
211 PTR ns1.mydomain.com.
212 PTR ns2.mydomain.com.
217 PTR ns3.mydomain.com.
213 PTR www.mydomain.com.
214 PTR mail.mydomain.com.
215 PTR ftp.mydomain.com.
215 PTR go.mydomain.com.
217 PTR net.mydomain.com.
```
bind9 run in chroot mode:
`/usr/local/bind/sbin/named -4 -c /etc/named.conf -t /chroot/named -u named`
any else infomation i can offer,please tell me if necessary.
Best regards,
21848706@qq.com
thanks a lot !
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwardersOctober 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1191REQUIRE assertion failure in resolver.c2019-10-02T12:30:54ZMichael McNallyREQUIRE assertion failure in resolver.c<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Reported to security-officer@isc.org:
```
Hello
Once a week one of our internal Bind9 server crashes with the following error:
07-Aug-2019 00:56:44.207 general: critical: resolver.c:10583: REQUIRE(fetchp != ((void *)0) && *fetchp == ((void *)0)) failed
07-Aug-2019 00:56:44.207 general: critical: exiting (due to assertion failure)
...
We are not sure what is causing this, the time and date are always different, sometimes at night,
sometimes during the day. It started with version Bind9.14 and we thought it got better with
newer versions, but over the last couple of weeks it got worse.
```
### BIND version used
```
BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 2.6.32-754.17.1.el6.x86_64 #1 SMP Thu Jun 20 11:47:12 EDT 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl=yes' '--enable-largefile' '--without-python' '--with-tuning=large' '--with-gssapi=yes' '--disable-isc-spnego' '--disable-dnstap' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O0 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-23)
compiled with OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706
compiled with zlib version: 1.2.3
linked to zlib version: 1.2.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
```
### Relevant files
The submitter has kindly provided core dumps, libraries, configuration files, logs, and other supporting materials.
They have been uploaded to bikeshed.isc.org:/home/support/
Until engineering have a chance to examine the crash to see whether it is deliberately triggerable, please note that this ticket is marked confidential.October 2019 (9.11.12, 9.14.7, 9.15.5)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1192Fix unreliable serve-stale test2020-03-09T08:22:16ZMatthijs Mekkingmatthijs@isc.orgFix unreliable serve-stale testFebruary 2020 (9.11.16, 9.14.11, 9.16.0, 9.16.0-S)https://gitlab.isc.org/isc-projects/bind9/-/issues/1219[CVE-2019-6476] resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fc...2020-09-11T09:02:39ZGhost User[CVE-2019-6476] resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace causes BIND to die<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
BIND died after this log:
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
```
### BIND version used
```
BIND 9.14.5 (Stable Release) <id:c2c2b6d>
running on FreeBSD amd64 11.2-RELEASE-p14-HBSD FreeBSD 11.2-RELEASE-p14-HBSD 07680caafe9(stable/19.7)
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-openssl=/usr/local' '--sysconfdir=/usr/local/etc/namedb' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--without-gssapi' '--with-libidn2=/usr/local' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DHARDENEDBSD -DLIBICONV_PLUG -fPIE -fPIC -fstack-protector-all -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -Wl,-rpath,/usr/local/lib -pie -Wl,-z,relro -Wl,-z,now -fstack-protector-all ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
compiled with OpenSSL version: OpenSSL 1.0.2s 28 May 2019
linked to OpenSSL version: OpenSSL 1.0.2s 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
Unknown
### What is the current *bug* behavior?
bind dies
### What is the expected *correct* behavior?
bind stays alive
### Relevant configuration files
```
controls {
inet 127.0.0.1 port 9530 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_log" {
file "/var/log/named/named.log" versions 3 size 5242880;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_log" {
file "/var/log/named/query.log" versions 3 size 5242880;
print-time yes;
};
channel "rpz_log" {
file "/var/log/named/rpz.log" versions 3 size 5242880;
print-time yes;
};
category "default" {
"default_log";
};
category "general" {
"default_log";
};
category "queries" {
"query_log";
};
category "rpz" {
"rpz_log";
};
};
options {
directory "/usr/local/etc/namedb/working";
dump-file "/var/dump/named_dump.db";
listen-on port 53530 {
10.99.201.1/32;
};
listen-on-v6 port 53530 {
::1/128;
};
pid-file "/var/run/named/pid";
statistics-file "/var/stats/named.stats";
dnssec-validation auto;
max-cache-size 80%;
response-policy {
zone "whitelist.localdomain";
zone "blacklist.localdomain";
};
forwarders {
1.1.1.1;
1.0.0.1;
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type master;
file "/usr/local/etc/namedb/master/localhost-forward.db";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "0.ip6.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "whitelist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/whitelist.db";
notify no;
};
zone "blacklist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/blacklist.db";
notify no;
};
```
### Relevant logs and/or screenshots
```
08-Sep-2019 14:01:29.753 general: critical: exiting (due to assertion failure)
08-Sep-2019 14:01:29.753 general: critical: #7 0x0 in ??
08-Sep-2019 14:01:29.753 general: critical: #6 0x3e007b0dc36 in ??
08-Sep-2019 14:01:29.753 general: critical: #5 0x3b13830d1ed in ??
08-Sep-2019 14:01:29.753 general: critical: #4 0x3b138244169 in ??
08-Sep-2019 14:01:29.753 general: critical: #3 0x3b13823b04c in ??
08-Sep-2019 14:01:29.753 general: critical: #2 0x3b138234728 in ??
08-Sep-2019 14:01:29.753 general: critical: #1 0x3b1382ed18a in ??
08-Sep-2019 14:01:29.753 general: critical: #0 0x3b138102120 in ??
08-Sep-2019 14:01:29.753 general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
08-Sep-2019 14:01:29.745 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.0.0.1#53
08-Sep-2019 14:01:29.514 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.1.1.1#53
```
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwardersOctober 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1238[CVE-2019-6476] critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx-...2019-10-16T21:11:21Zbobopu[CVE-2019-6476] critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed### Summary
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:efd3...### Summary
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:efd3496>
running on Linux x86_64 4.14.47-64.38.amzn2.x86_64 #1 SMP Mon Jun 18 22:33:07 UTC 2018
built by make with '--prefix=/data/named' '--enable-threads' '--enable-epoll' '--enable-fetchlimi' '--disable-openssl-version-check' '--with-dlz-filesystem' '--with-tuning=large' '--disable-crypto-rand'
compiled by GCC 7.3.1 20180303 (Red Hat 7.3.1-5)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /data/named/etc/named.conf
rndc configuration: /data/named/etc/rndc.conf
DNSSEC root key: /data/named/etc/bind.keys
nsupdate session key: /data/named/var/run/named/session.key
named PID file: /data/named/var/run/named/named.pid
named lock file: /data/named/var/run/named/named.lock
```
### Steps to reproduce
queries: info: client @0x7f18ed2eeec0 140.206.63.106#26724 (121.52.95.211.in-addr.arpa): view cnc-nanfang: query: 121.52.95.211.in-addr.arpa IN PTR + (172.16.2.66)
### What is the current *bug* behavior?
When a PTR request occurs, bind exiting
### Relevant configuration files
Too long...
### Relevant logs and/or screenshots
```
queries: info: client @0x7f18ed2eeec0 140.206.63.106#26724 (121.52.95.211.in-addr.arpa): view cnc-nanfang: query: 121.52.95.211.in-addr.arpa IN PTR + (172.16.2.66)
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders
October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1241[CVE-2019-6476] bind 9.14 crashes at specific response from forwarders2019-10-16T21:11:58ZGhost User[CVE-2019-6476] bind 9.14 crashes at specific response from forwarders<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
When bind 9.14 receives an obviously invalid response from a configured forwarders, it crashes.
```
DNS format error from 213.133.99.99#53 resolving 74.141.6.213.in-addr.arpa/PTR for client 127.0.0.1#49745: non-improving referral
resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
#0 0x55b887adf590 in ??
#1 0x7fce15ae853a in ??
#2 0x7fce1648fddb in ??
#3 0x7fce1649181c in ??
#4 0x7fce164967d5 in ??
#5 0x7fce1649a341 in ??
#6 0x7fce1649b066 in ??
#7 0x7fce1649cb50 in ??
#8 0x7fce15b05b29 in ??
#9 0x7fce1507a118 in ??
#10 0x7fce147819df in ??
exiting (due to assertion failure)
```
### BIND version used
```
BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 4.19.72-gentoo #1 SMP Mon Sep 16 19:54:42 CEST 2019
built by make with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.14.4' '--htmldir=/usr/share/doc/bind-9.14.4/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gssapi' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--without-libxml2' '--with-zlib' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe -march=native -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -L/usr/lib64' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig'
compiled by GCC 7.3.0
compiled with OpenSSL version: OpenSSL 1.0.2t 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.0.2t 10 Sep 2019
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
```
### Steps to reproduce
- configure a forwarding name server (in my case the name server from my ISP hetzner.de)
```
options {
forwarders {
213.133.98.97;
213.133.99.99;
213.133.100.100;
}
}
```
- `dig @localhost 74.141.6.213.in-addr.arpa PTR`
### What is the current *bug* behavior?
The server crashes.
### What is the expected *correct* behavior?
It should not crash.
### Relevant configuration files
see above.
### Relevant logs and/or screenshots
see above.
### Possible fixes
unknown.
When using an older version of bind (9.12.3 e.g.) or another forwarder (8.8.8.8 e.g.), the bug does not occure.
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwardersOctober 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1282Mysqldyn dlz compile failed2021-10-04T20:03:31ZGhost UserMysqldyn dlz compile failed### Summary
Can't compile **mysqldyn** dlz on Ubuntu 18.04.
```
Linux bind9-compile 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
```
### BIND version used
```
root@bind9-compile:/opt/bin...### Summary
Can't compile **mysqldyn** dlz on Ubuntu 18.04.
```
Linux bind9-compile 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
```
### BIND version used
```
root@bind9-compile:/opt/bind9# sbin/named -V
BIND 9.15.5 (Development Release) <id:87676a6ac0>
running on Linux x86_64 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019
built by make with '--prefix=/opt/bind9/' '--with-dlz-mysql=yes'
compiled by GCC 7.4.0
compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /opt/bind9/etc/named.conf
rndc configuration: /opt/bind9/etc/rndc.conf
DNSSEC root key: /opt/bind9/etc/bind.keys
nsupdate session key: /opt/bind9/var/run/named/session.key
named PID file: /opt/bind9/var/run/named/named.pid
named lock file: /opt/bind9/var/run/named/named.lock
```
### Steps to reproduce
```
cd bind9/contrib/dlz/modules/mysqldyn/
make
```
```
cc -fPIC -Wall -g -I../include -I/usr/include/mysql -shared -o dlz_mysqldyn_mod.so \
dlz_mysqldyn_mod.c dlz_dbi.o -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -latomic -ldl
dlz_mysqldyn_mod.c: In function ‘makerecord’:
dlz_mysqldyn_mod.c:832:35: error: ‘saveptr’ undeclared (first use in this function)
real_name = strtok_r(buf, "\t", &saveptr);
^~~~~~~
dlz_mysqldyn_mod.c:832:35: note: each undeclared identifier is reported only once for each function it appears in
Makefile:13: recipe for target 'dlz_mysqldyn_mod.so' failed
make: *** [dlz_mysqldyn_mod.so] Error 1
```
### What is the current *bug* behavior?
Can't compile **mysqldyn** dlz.
### Possible fixes
Declare **saveptr** on line 832 in **dlz_mysqldyn_mod.c**.
```
char* saveptr = 0;
```
```
/*
* The format is:
* FULLNAME\tTTL\tDCLASS\tTYPE\tDATA
*
* The DATA field is space separated, and is in the data format
* for the type used by dig
*/
char* saveptr = 0;
real_name = strtok_r(buf, "\t", &saveptr);
if (real_name == NULL)
goto error;
ttlstr = strtok_r(NULL, "\t", &saveptr);
if (ttlstr == NULL || sscanf(ttlstr, "%d", &ttlvalue) != 1)
goto error;
dclass = strtok_r(NULL, "\t", &saveptr);
if (dclass == NULL)
goto error;
type = strtok_r(NULL, "\t", &saveptr);
if (type == NULL)
goto error;
data = strtok_r(NULL, "\t", &saveptr);
if (data == NULL)
goto error;
```