BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2019-10-16T21:11:21Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1238[CVE-2019-6476] critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx-...2019-10-16T21:11:21Zbobopu[CVE-2019-6476] critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed### Summary
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:efd3...### Summary
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:efd3496>
running on Linux x86_64 4.14.47-64.38.amzn2.x86_64 #1 SMP Mon Jun 18 22:33:07 UTC 2018
built by make with '--prefix=/data/named' '--enable-threads' '--enable-epoll' '--enable-fetchlimi' '--disable-openssl-version-check' '--with-dlz-filesystem' '--with-tuning=large' '--disable-crypto-rand'
compiled by GCC 7.3.1 20180303 (Red Hat 7.3.1-5)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /data/named/etc/named.conf
rndc configuration: /data/named/etc/rndc.conf
DNSSEC root key: /data/named/etc/bind.keys
nsupdate session key: /data/named/var/run/named/session.key
named PID file: /data/named/var/run/named/named.pid
named lock file: /data/named/var/run/named/named.lock
```
### Steps to reproduce
queries: info: client @0x7f18ed2eeec0 140.206.63.106#26724 (121.52.95.211.in-addr.arpa): view cnc-nanfang: query: 121.52.95.211.in-addr.arpa IN PTR + (172.16.2.66)
### What is the current *bug* behavior?
When a PTR request occurs, bind exiting
### Relevant configuration files
Too long...
### Relevant logs and/or screenshots
```
queries: info: client @0x7f18ed2eeec0 140.206.63.106#26724 (121.52.95.211.in-addr.arpa): view cnc-nanfang: query: 121.52.95.211.in-addr.arpa IN PTR + (172.16.2.66)
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
```
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders
October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1219[CVE-2019-6476] resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fc...2020-09-11T09:02:39ZGhost User[CVE-2019-6476] resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace causes BIND to die<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
BIND died after this log:
```
general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
```
### BIND version used
```
BIND 9.14.5 (Stable Release) <id:c2c2b6d>
running on FreeBSD amd64 11.2-RELEASE-p14-HBSD FreeBSD 11.2-RELEASE-p14-HBSD 07680caafe9(stable/19.7)
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-openssl=/usr/local' '--sysconfdir=/usr/local/etc/namedb' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--without-gssapi' '--with-libidn2=/usr/local' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DHARDENEDBSD -DLIBICONV_PLUG -fPIE -fPIC -fstack-protector-all -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -Wl,-rpath,/usr/local/lib -pie -Wl,-z,relro -Wl,-z,now -fstack-protector-all ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
compiled with OpenSSL version: OpenSSL 1.0.2s 28 May 2019
linked to OpenSSL version: OpenSSL 1.0.2s 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
Unknown
### What is the current *bug* behavior?
bind dies
### What is the expected *correct* behavior?
bind stays alive
### Relevant configuration files
```
controls {
inet 127.0.0.1 port 9530 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_log" {
file "/var/log/named/named.log" versions 3 size 5242880;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_log" {
file "/var/log/named/query.log" versions 3 size 5242880;
print-time yes;
};
channel "rpz_log" {
file "/var/log/named/rpz.log" versions 3 size 5242880;
print-time yes;
};
category "default" {
"default_log";
};
category "general" {
"default_log";
};
category "queries" {
"query_log";
};
category "rpz" {
"rpz_log";
};
};
options {
directory "/usr/local/etc/namedb/working";
dump-file "/var/dump/named_dump.db";
listen-on port 53530 {
10.99.201.1/32;
};
listen-on-v6 port 53530 {
::1/128;
};
pid-file "/var/run/named/pid";
statistics-file "/var/stats/named.stats";
dnssec-validation auto;
max-cache-size 80%;
response-policy {
zone "whitelist.localdomain";
zone "blacklist.localdomain";
};
forwarders {
1.1.1.1;
1.0.0.1;
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type master;
file "/usr/local/etc/namedb/master/localhost-forward.db";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "0.ip6.arpa" {
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
};
zone "whitelist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/whitelist.db";
notify no;
};
zone "blacklist.localdomain" {
type master;
check-names ignore;
file "/usr/local/etc/namedb/master/blacklist.db";
notify no;
};
```
### Relevant logs and/or screenshots
```
08-Sep-2019 14:01:29.753 general: critical: exiting (due to assertion failure)
08-Sep-2019 14:01:29.753 general: critical: #7 0x0 in ??
08-Sep-2019 14:01:29.753 general: critical: #6 0x3e007b0dc36 in ??
08-Sep-2019 14:01:29.753 general: critical: #5 0x3b13830d1ed in ??
08-Sep-2019 14:01:29.753 general: critical: #4 0x3b138244169 in ??
08-Sep-2019 14:01:29.753 general: critical: #3 0x3b13823b04c in ??
08-Sep-2019 14:01:29.753 general: critical: #2 0x3b138234728 in ??
08-Sep-2019 14:01:29.753 general: critical: #1 0x3b1382ed18a in ??
08-Sep-2019 14:01:29.753 general: critical: #0 0x3b138102120 in ??
08-Sep-2019 14:01:29.753 general: critical: resolver.c:4917: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed, back trace
08-Sep-2019 14:01:29.745 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.0.0.1#53
08-Sep-2019 14:01:29.514 lame-servers: info: chase DS servers resolving 'd10u1qvpabtlks.cloudfront.net/DS/IN': 1.1.1.1#53
```
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwardersOctober 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1205named crashes when setting nsec3param2022-10-21T12:11:10ZOndřej Surýnamed crashes when setting nsec3paramThis was originally reported as [Debian Bug](https://bugs.debian.org/939329) and the bug report was:
> Package: bind9
> Version: 1:9.11.5.P4+dfsg-5.1
>
> Woke up this morning to the following in syslog. Looks to maybe be a
> race condi...This was originally reported as [Debian Bug](https://bugs.debian.org/939329) and the bug report was:
> Package: bind9
> Version: 1:9.11.5.P4+dfsg-5.1
>
> Woke up this morning to the following in syslog. Looks to maybe be a
> race condition when reloading zones that have changed and setting
> nsec3params immediately after/during the reload.
```
Sep 3 05:56:06 odroid-dns named[29241]: zone bluematt.me/IN (unsigned):
loaded serial 2015412479
Sep 3 05:56:06 odroid-dns named[29241]: received control channel
command 'signing -nsec3param 1 0 100 D1D6B923 mattcorallo.com'
Sep 3 05:56:06 odroid-dns named[29241]: ../../../lib/dns/rbtdb.c:1494:
REQUIRE(rbtdb->future_version == ((void *)0)) failed, back trace
Sep 3 05:56:06 odroid-dns named[29241]: #0 0xaaaadda1f958 in ??
Sep 3 05:56:06 odroid-dns named[29241]: #1 0xffffb3437944 in ??
Sep 3 05:56:06 odroid-dns named[29241]: #2 0xffffb3a1368c in ??
Sep 3 05:56:06 odroid-dns named[29241]: #3 0xffffb3ad4bd4 in ??
Sep 3 05:56:06 odroid-dns named[29241]: #4 0xffffb345dca0 in ??
Sep 3 05:56:06 odroid-dns named[29241]: #5 0xffffb335b7e4 in ??
Sep 3 05:56:06 odroid-dns named[29241]: #6 0xffffb2ffbadc in ??
Sep 3 05:56:06 odroid-dns named[29241]: exiting (due to assertion failure)
```October 2019 (9.11.12, 9.14.7, 9.15.5)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1191REQUIRE assertion failure in resolver.c2019-10-02T12:30:54ZMichael McNallyREQUIRE assertion failure in resolver.c<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Reported to security-officer@isc.org:
```
Hello
Once a week one of our internal Bind9 server crashes with the following error:
07-Aug-2019 00:56:44.207 general: critical: resolver.c:10583: REQUIRE(fetchp != ((void *)0) && *fetchp == ((void *)0)) failed
07-Aug-2019 00:56:44.207 general: critical: exiting (due to assertion failure)
...
We are not sure what is causing this, the time and date are always different, sometimes at night,
sometimes during the day. It started with version Bind9.14 and we thought it got better with
newer versions, but over the last couple of weeks it got worse.
```
### BIND version used
```
BIND 9.14.4 (Stable Release) <id:ab4c496>
running on Linux x86_64 2.6.32-754.17.1.el6.x86_64 #1 SMP Thu Jun 20 11:47:12 EDT 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl=yes' '--enable-largefile' '--without-python' '--with-tuning=large' '--with-gssapi=yes' '--disable-isc-spnego' '--disable-dnstap' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O0 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-23)
compiled with OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
compiled with libxml2 version: 2.7.6
linked to libxml2 version: 20706
compiled with zlib version: 1.2.3
linked to zlib version: 1.2.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
```
### Relevant files
The submitter has kindly provided core dumps, libraries, configuration files, logs, and other supporting materials.
They have been uploaded to bikeshed.isc.org:/home/support/
Until engineering have a chance to examine the crash to see whether it is deliberately triggerable, please note that this ticket is marked confidential.October 2019 (9.11.12, 9.14.7, 9.15.5)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1184Invalid reference counting2019-10-02T12:26:22ZOndřej SurýInvalid reference countingI found couple more places where `.references == 0` means something else than *DEAD, DON'T USE*.
1. `lib/dns/cache.c`, the extra condition is `cache->live_tasks > 0`
2. `lib/dns/zone.c`, the extra condition is `DNS_ZONE_FLAG(zone, DNS_Z...I found couple more places where `.references == 0` means something else than *DEAD, DON'T USE*.
1. `lib/dns/cache.c`, the extra condition is `cache->live_tasks > 0`
2. `lib/dns/zone.c`, the extra condition is `DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) && isc_refcount_current(&zone->irefs) == 0)`
3. `lib/dns/resolver.c`, the extra condition is `fctx->pending == 0 && fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))`
4. `lib/isc/task.c`, the extra condition is `EMPTY(task->events) && !TASK_SHUTTINGDOWN(task)`
5. `lib/ns/client.c`, the extra condition is `client->nsends == 0 && client->nrecvs == 0` and `client->mortal && TCP_CLIENT(client) && client->newstate != NS_CLIENTSTATE_FREED && (client->sctx->options & NS_SERVER_CLIENTTEST) == 0`
I am leaving `lib/dns/rbtdb.c` out of the list on purpose, but `git grep "isc_refcount_current([^)]*) == 0"` reveals all the places...October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1180TSIG-related named crash2019-09-18T08:58:42ZMichał KępieńTSIG-related named crashSomething bad happened [here][1] in the `case` system test (or, more specifically, *after* the `case` system test was finished):
```
01-Aug-2019 22:07:48.328 tsig.c:615: REQUIRE(ringp != ((void *)0) && *ringp != ((void *)0)) failed, bac...Something bad happened [here][1] in the `case` system test (or, more specifically, *after* the `case` system test was finished):
```
01-Aug-2019 22:07:48.328 tsig.c:615: REQUIRE(ringp != ((void *)0) && *ringp != ((void *)0)) failed, back trace
```
Unfortunately, there is no core dump among job artifacts, which is not what I would expect. It may be related to the fact that this was an ASAN job (though this is not an ASAN-triggered crash, nor there is any ASAN-related output in the logs).
The obvious suspect is 3c30d095c4d5cd6dbeb06b594352ea2b8b24716b. @ondrej, any immediate ideas here?
[1]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/294315October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1168[CVE-2019-6476] bind9.14.4,bind9.15.2 also Crash on centos7.6(source dist)2019-10-16T21:10:17ZGhost User[CVE-2019-6476] bind9.14.4,bind9.15.2 also Crash on centos7.6(source dist)
The new version i compiled ,it could work for a night,but this moring i found bind9.14.4 stopped its work at Jul 24 09:54:12 ,bind‘s log is below:
```
24-Jul-2019 09:54:05.652 queries: client @0x7f23d0029900 172.31.0.254#4157 (dns.weixi...
The new version i compiled ,it could work for a night,but this moring i found bind9.14.4 stopped its work at Jul 24 09:54:12 ,bind‘s log is below:
```
24-Jul-2019 09:54:05.652 queries: client @0x7f23d0029900 172.31.0.254#4157 (dns.weixin.qq.com): view internal: query: dns.weixin.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.064 queries: client @0x7f24302f2e90 172.31.0.254#24737 (commdata.v.qq.com): view internal: query: commdata.v.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.368 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.w3.org): view internal: query: www.w3.org IN A + (172.31.0.215)
24-Jul-2019 09:54:06.874 queries: client @0x7f242000c490 172.31.0.254#51568 (captive.apple.com): view internal: query: captive.apple.com IN A + (172.31.0.215)
24-Jul-2019 09:54:06.915 queries: client @0x7f243025f910 172.31.0.254#10965 (sngmta.qq.com): view internal: query: sngmta.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.379 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.google.com): view internal: query: www.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f243029a810 172.31.0.254#24313 (commdata.v.qq.com): view internal: query: commdata.v.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f24302e42d0 172.31.0.254#6291 (vv.video.qq.com): view internal: query: vv.video.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.527 queries: client @0x7f2430377850 172.31.0.254#20463 (sdksp.video.qq.com): view internal: query: sdksp.video.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.664 queries: client @0x7f23dc00bbe0 172.31.0.254#51632 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.742 queries: client @0x7f2430224a10 172.31.0.254#4210 (btrace.qq.com): view internal: query: btrace.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:07.910 queries: client @0x7f243025f910 172.31.0.254#15511 (imgcache.qq.com): view internal: query: imgcache.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.390 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.tplink.com): view internal: query: www.tplink.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.482 queries: client @0x7f241c028c50 172.31.0.254#19129 (mdevstat.qqlive.qq.com): view internal: query: mdevstat.qqlive.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.814 queries: client @0x7f2430310610 172.31.0.254#11047 (mazu.3g.qq.com): view internal: query: mazu.3g.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:08.842 queries: client @0x7f24302a93d0 172.31.0.254#43701 (a.root-servers.net): view internal: query: a.root-servers.net IN A + (172.31.0.215)
24-Jul-2019 09:54:09.045 queries: client @0x7f2430386410 172.31.0.254#15492 (connectivitycheck.platform.hicloud.com): view internal: query: connectivitycheck.platform.hicloud.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.401 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.qq.com): view internal: query: www.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.715 queries: client @0x7f243034b510 172.31.0.254#58245 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:09.785 queries: client @0x7f243034b510 211.139.181.230#60101 (www.mydomain.com): view external: query: www.mydomain.com IN A -E(0)DCK (172.31.0.215)
24-Jul-2019 09:54:10.412 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.ieee.org): view internal: query: www.ieee.org IN A + (172.31.0.215)
24-Jul-2019 09:54:10.645 queries: client @0x7f23e8010ae0 172.31.0.254#701 (playlog.youku.com): view internal: query: playlog.youku.com IN A + (172.31.0.215)
24-Jul-2019 09:54:10.701 queries: client @0x7f243029a810 172.31.0.254#52441 (mazu-mmgr.3g.qq.com): view internal: query: mazu-mmgr.3g.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:10.923 queries: client @0x7f24302a93d0 172.31.0.254#11208 (clients1.google.com): view internal: query: clients1.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.378 queries: client @0x7f2430301a50 172.31.0.254#53235 (mb.yidianzixun.com): view internal: query: mb.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.422 queries: client @0x7f23d800b640 172.31.0.254#39779 (www.w3.org): view internal: query: www.w3.org IN A + (172.31.0.215)
24-Jul-2019 09:54:11.609 queries: client @0x7f2430250d50 172.31.0.254#37700 (staticimg.yidianzixun.com): view internal: query: staticimg.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.610 queries: client @0x7f23d801a200 172.31.0.254#56234 (static1.yidianzixun.com): view internal: query: static1.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.612 queries: client @0x7f2400029360 172.31.0.254#34401 (static.yidianzixun.com): view internal: query: static.yidianzixun.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.764 queries: client @0x7f2430de9e20 172.31.0.254#48701 (www.baidu.com): view internal: query: www.baidu.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.835 queries: client @0x7f23d000b640 172.31.0.254#39876 (www.google.com): view internal: query: www.google.com IN A + (172.31.0.215)
24-Jul-2019 09:54:11.899 queries: client @0x7f24302b7f90 172.31.0.254#63406 (pool.ntp.org): view internal: query: pool.ntp.org IN A + (172.31.0.215)
24-Jul-2019 09:54:12.003 queries: client @0x7f2430242190 172.31.0.254#45255 (oth.str.mdt.qq.com): view internal: query: oth.str.mdt.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:12.003 queries: client @0x7f23d800b640 172.31.0.254#53639 (oth.eve.mdt.qq.com): view internal: query: oth.eve.mdt.qq.com IN A + (172.31.0.215)
24-Jul-2019 09:54:12.021 queries: client @0x7f2430de9e20 172.31.0.254#47907 (184.123.207.140.in-addr.arpa): view internal: query: 184.123.207.140.in-addr.arpa IN PTR + (172.31.0.215)
24-Jul-2019 09:54:12.028 queries: client @0x7f2430368c90 172.31.0.254#39072 (166.76.226.101.in-addr.arpa): view internal: query: 166.76.226.101.in-addr.arpa IN PTR + (172.31.0.215)
```
this time the log did not show the info "exiting (due to assertion failure)",but the info appeared in Syslog:
```
Jul 24 09:10:29 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/A/IN': 202.102.128.68#53
Jul 24 09:14:20 localhost named[20102]: timed out resolving 'guazi-vod.guazistatic.com.bsgslb.cn/A/IN': 219.146.1.66#53
Jul 24 09:14:47 localhost named[20102]: timed out resolving 'zs-stcmchina-com.cname.saaswaf.com/A/IN': 219.147.1.66#53
Jul 24 09:16:31 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/CNAME/IN': 219.147.1.66#53
Jul 24 09:16:32 localhost named[20102]: timed out resolving 'p-idle-miner.playfabapi.com/CNAME/IN': 219.146.1.66#53
Jul 24 09:17:23 localhost named[20102]: client @0x7f2400029360 171.13.14.59#34784 (tjapi.news.so.com): view external: query failed (REFUSED) for tjapi.news.so.com/IN/A at query.c:5365
Jul 24 09:17:26 localhost named[20102]: client @0x7f243028bc50 171.13.14.37#29384 (dl.360safe.com): view external: query failed (REFUSED) for dl.360safe.com/IN/A at query.c:5365
Jul 24 09:17:29 localhost named[20102]: client @0x7f24200274f0 171.13.14.44#27816 (www.jumei.com): view external: query failed (REFUSED) for www.jumei.com/IN/A at query.c:5365
Jul 24 09:17:32 localhost named[20102]: client @0x7f2430de9e20 171.13.14.59#64416 (weibo.com): view external: query failed (REFUSED) for weibo.com/IN/A at query.c:5365
Jul 24 09:17:32 localhost named[20102]: timed out resolving 'd2k03kvdk5cku0.cloudfront.net/A/IN': 219.146.1.66#53
Jul 24 09:17:35 localhost named[20102]: client @0x7f243034b510 171.13.14.60#50928 (web.sogou.com): view external: query failed (REFUSED) for web.sogou.com/IN/A at query.c:5365
Jul 24 09:17:38 localhost named[20102]: client @0x7f241c037c50 171.13.14.62#2280 (www.duba.com): view external: query failed (REFUSED) for www.duba.com/IN/A at query.c:5365
Jul 24 09:17:41 localhost named[20102]: client @0x7f24302c6b50 171.13.14.40#44808 (hao.360.cn): view external: query failed (REFUSED) for hao.360.cn/IN/A at query.c:5365
Jul 24 09:17:44 localhost named[20102]: client @0x7f23e400faa0 171.13.14.50#15880 (www.360.cn): view external: query failed (REFUSED) for www.360.cn/IN/A at query.c:5365
Jul 24 09:17:47 localhost named[20102]: client @0x7f24302f2e90 171.13.14.53#56280 (tuan.360.cn): view external: query failed (REFUSED) for tuan.360.cn/IN/A at query.c:5365
Jul 24 09:17:51 localhost named[20102]: client @0x7f243032dd90 171.13.14.39#58632 (www.btime.com): view external: query failed (REFUSED) for www.btime.com/IN/A at query.c:5365
Jul 24 09:17:54 localhost named[20102]: client @0x7f243032dd90 171.13.14.59#41280 (v.360.cn): view external: query failed (REFUSED) for v.360.cn/IN/A at query.c:5365
Jul 24 09:17:57 localhost named[20102]: client @0x7f243032dd90 171.13.14.54#3360 (softdl.360tpcdn.com): view external: query failed (REFUSED) for softdl.360tpcdn.com/IN/A at query.c:5365
Jul 24 09:18:00 localhost named[20102]: client @0x7f2430301a50 171.13.14.39#25016 (click.union.vip.com): view external: query failed (REFUSED) for click.union.vip.com/IN/A at query.c:5365
Jul 24 09:18:03 localhost named[20102]: client @0x7f2430301a50 171.13.14.35#13512 (www.baidu.com): view external: query failed (REFUSED) for www.baidu.com/IN/A at query.c:5365
Jul 24 09:18:06 localhost named[20102]: client @0x7f23d000b640 171.13.14.47#11960 (www.114la.com): view external: query failed (REFUSED) for www.114la.com/IN/A at query.c:5365
Jul 24 09:18:09 localhost named[20102]: client @0x7f24302c6b50 171.13.14.53#61384 (www.haosou.com): view external: query failed (REFUSED) for www.haosou.com/IN/A at query.c:5365
Jul 24 09:18:12 localhost named[20102]: client @0x7f24302c6b50 171.13.14.57#20856 (so.360.cn): view external: query failed (REFUSED) for so.360.cn/IN/A at query.c:5365
Jul 24 09:18:15 localhost named[20102]: client @0x7f23d801a200 171.13.14.60#9496 (bizhi.360.cn): view external: query failed (REFUSED) for bizhi.360.cn/IN/A at query.c:5365
Jul 24 09:18:18 localhost named[20102]: client @0x7f241c00fc00 171.13.14.38#51168 (bbs.webscan.360.cn): view external: query failed (REFUSED) for bbs.webscan.360.cn/IN/A at query.c:5365
Jul 24 09:18:21 localhost named[20102]: client @0x7f241c028c50 171.13.14.39#64280 (v.sj.360.cn): view external: query failed (REFUSED) for v.sj.360.cn/IN/A at query.c:5365
Jul 24 09:18:24 localhost named[20102]: client @0x7f23d0029900 171.13.14.44#47928 (ai.taobao.com): view external: query failed (REFUSED) for ai.taobao.com/IN/A at query.c:5365
Jul 24 09:18:27 localhost named[20102]: client @0x7f23d0029900 171.13.14.50#25656 (www.hao123.com): view external: query failed (REFUSED) for www.hao123.com/IN/A at query.c:5365
Jul 24 09:18:30 localhost named[20102]: client @0x7f23e8010ae0 171.13.14.57#30632 (hao.qq.com): view external: query failed (REFUSED) for hao.qq.com/IN/A at query.c:5365
Jul 24 09:18:33 localhost named[20102]: client @0x7f241c037c50 171.13.14.58#41176 (123.chinaso.com): view external: query failed (REFUSED) for 123.chinaso.com/IN/A at query.c:5365
Jul 24 09:18:36 localhost named[20102]: client @0x7f243028bc50 171.13.14.41#11968 (soft.360.cn): view external: query failed (REFUSED) for soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:39 localhost named[20102]: client @0x7f240001a200 171.13.14.53#1128 (cdn.soft.360.cn): view external: query failed (REFUSED) for cdn.soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:42 localhost named[20102]: client @0x7f2420035f50 171.13.14.47#21688 (www.360kan.com): view external: query failed (REFUSED) for www.360kan.com/IN/A at query.c:5365
Jul 24 09:18:45 localhost named[20102]: client @0x7f2420035f50 171.13.14.46#46912 (jumpluna.58.com): view external: query failed (REFUSED) for jumpluna.58.com/IN/A at query.c:5365
Jul 24 09:18:48 localhost named[20102]: client @0x7f242000c490 171.13.14.62#42496 (s.click.taobao.com): view external: query failed (REFUSED) for s.click.taobao.com/IN/A at query.c:5365
Jul 24 09:18:51 localhost named[20102]: client @0x7f243029a810 171.13.14.49#50768 (123.sogou.com): view external: query failed (REFUSED) for 123.sogou.com/IN/A at query.c:5365
Jul 24 09:18:54 localhost named[20102]: client @0x7f2430310610 171.13.14.37#4656 (cx.soft.360.cn): view external: query failed (REFUSED) for cx.soft.360.cn/IN/A at query.c:5365
Jul 24 09:18:58 localhost named[20102]: client @0x7f2430310610 171.13.14.45#58960 (big.softdl.360tpcdn.com): view external: query failed (REFUSED) for big.softdl.360tpcdn.com/IN/A at query.c:5365
Jul 24 09:19:01 localhost named[20102]: client @0x7f23d8029900 171.13.14.50#17880 (down.360safe.com): view external: query failed (REFUSED) for down.360safe.com/IN/A at query.c:5365
Jul 24 09:19:04 localhost named[20102]: client @0x7f243031f1d0 171.13.14.48#40544 (intf.soft.360.cn): view external: query failed (REFUSED) for intf.soft.360.cn/IN/A at query.c:5365
Jul 24 09:19:07 localhost named[20102]: client @0x7f240000b640 171.13.14.61#53840 (www.chinaso.com): view external: query failed (REFUSED) for www.chinaso.com/IN/A at query.c:5365
Jul 24 09:19:10 localhost named[20102]: client @0x7f243028bc50 171.13.14.40#48392 (www.huajiao.com): view external: query failed (REFUSED) for www.huajiao.com/IN/A at query.c:5365
Jul 24 09:19:13 localhost named[20102]: client @0x7f240000b640 171.13.14.42#18720 (www.2345.com): view external: query failed (REFUSED) for www.2345.com/IN/A at query.c:5365
Jul 24 09:19:16 localhost named[20102]: client @0x7f24302d5710 171.13.14.54#34800 (www.uc123.com): view external: query failed (REFUSED) for www.uc123.com/IN/A at query.c:5365
Jul 24 09:19:19 localhost named[20102]: client @0x7f2430224a10 171.13.14.38#6968 (123.duba.net): view external: query failed (REFUSED) for 123.duba.net/IN/A at query.c:5365
Jul 24 09:19:22 localhost named[20102]: client @0x7f243025f910 171.13.14.54#6824 (www.sogou.com): view external: query failed (REFUSED) for www.sogou.com/IN/A at query.c:5365
Jul 24 09:19:25 localhost named[20102]: client @0x7f23e8010ae0 171.13.14.45#52352 (www.so.com): view external: query failed (REFUSED) for www.so.com/IN/A at query.c:5365
Jul 24 09:19:28 localhost named[20102]: client @0x7f243034b510 171.13.14.35#36240 (update.360safe.com): view external: query failed (REFUSED) for update.360safe.com/IN/A at query.c:5365
Jul 24 09:19:31 localhost named[20102]: client @0x7f24302d5710 171.13.14.39#30008 (baoku.360.cn): view external: query failed (REFUSED) for baoku.360.cn/IN/A at query.c:5365
Jul 24 09:19:34 localhost named[20102]: client @0x7f243025f910 171.13.14.45#4536 (speedball.xyx.wan.360.cn): view external: query failed (REFUSED) for speedball.xyx.wan.360.cn/IN/A at query.c:5365
Jul 24 09:19:37 localhost named[20102]: client @0x7f243035a0d0 171.13.14.54#39600 (yule.360.cn): view external: query failed (REFUSED) for yule.360.cn/IN/A at query.c:5365
Jul 24 09:19:40 localhost named[20102]: client @0x7f23dc00bbe0 171.13.14.45#37112 (union.click.jd.com): view external: query failed (REFUSED) for union.click.jd.com/IN/A at query.c:5365
Jul 24 09:19:43 localhost named[20102]: client @0x7f240000b640 171.13.14.60#27992 (daohang.qq.com): view external: query failed (REFUSED) for daohang.qq.com/IN/A at query.c:5365
Jul 24 09:19:59 localhost named[20102]: timed out resolving 'p2.ssl.qhimg.com/A/IN': 202.102.128.68#53
Jul 24 09:20:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:20:01 localhost systemd: Started Session 6112 of user root.
Jul 24 09:20:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:21:04 localhost named[20102]: timed out resolving 'www.ieee.org/CNAME/IN': 202.102.128.68#53
Jul 24 09:21:57 localhost named[20102]: client @0x7f2430242190 74.82.47.50#12222 (dnsscan.shadowserver.org): view external: query failed (REFUSED) for dnsscan.shadowserver.org/IN/A at query.c:5365
Jul 24 09:22:16 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:22:17 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:24:06 localhost named[20102]: timed out resolving 'cms.jinan.cn/A/IN': 219.147.1.66#53
Jul 24 09:25:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:25:01 localhost systemd: Started Session 6113 of user pcp.
Jul 24 09:25:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:25:38 localhost named[20102]: timed out resolving 'reg.hao.360.cn/A/IN': 202.102.128.68#53
Jul 24 09:25:38 localhost named[20102]: timed out resolving 'h2m.dmp.360.cn/A/IN': 202.102.128.68#53
Jul 24 09:28:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:28:01 localhost systemd: Started Session 6114 of user pcp.
Jul 24 09:28:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:30:01 localhost systemd: Created slice User Slice of pcp.
Jul 24 09:30:01 localhost systemd: Started Session 6116 of user pcp.
Jul 24 09:30:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:30:01 localhost systemd: Started Session 6115 of user root.
Jul 24 09:30:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:30:01 localhost systemd: Removed slice User Slice of pcp.
Jul 24 09:30:06 localhost named[20102]: timed out resolving 'wpad.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:30:59 localhost named[20102]: timed out resolving 'livetileedge.xbetservices.akadns.net/A/IN': 202.102.128.68#53
Jul 24 09:31:17 localhost named[20102]: timed out resolving 'www.google.cn/A/IN': 219.147.1.66#53
Jul 24 09:36:14 localhost named[20102]: timed out resolving 'mobilepics.ws.126.net.bsgslb.cn/A/IN': 202.102.128.68#53
Jul 24 09:37:10 localhost systemd-logind: New session 6117 of user hbh.
Jul 24 09:37:10 localhost systemd: Started Session 6117 of user hbh.
Jul 24 09:37:10 localhost dbus[8700]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul 24 09:37:11 localhost dbus[8700]: [system] Successfully activated service 'org.freedesktop.problems'
Jul 24 09:37:19 localhost dbus[8700]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'
Jul 24 09:37:19 localhost systemd: Starting Fingerprint Authentication Daemon...
Jul 24 09:37:19 localhost dbus[8700]: [system] Successfully activated service 'net.reactivated.Fprint'
Jul 24 09:37:19 localhost systemd: Started Fingerprint Authentication Daemon.
Jul 24 09:37:29 localhost su: (to root) hbh on pts/1
Jul 24 09:38:23 localhost named[20102]: client @0x7f23d800b640 1.192.90.183#11759 (www.ipplus360.com): view external: query failed (REFUSED) for www.ipplus360.com/IN/A at query.c:5365
Jul 24 09:38:24 localhost named[20102]: client @0x7f24302d5710 1.192.90.183#47631 (asijeicjaiowjojaoiejfa.com): view external: query failed (REFUSED) for asijeicjaiowjojaoiejfa.com/IN/A at query.c:5365
Jul 24 09:39:28 localhost named[20102]: timed out resolving '8.e.e.0.0.2.a.7.f.d.2.7.8.7.a.9.3.1.6.6.4.c.0.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:40:01 localhost systemd: Created slice User Slice of root.
Jul 24 09:40:01 localhost systemd: Started Session 6118 of user root.
Jul 24 09:40:01 localhost systemd: Removed slice User Slice of root.
Jul 24 09:41:51 localhost systemd-logind: New session 6119 of user hbh.
Jul 24 09:41:51 localhost systemd: Started Session 6119 of user hbh.
Jul 24 09:41:52 localhost dbus[8700]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jul 24 09:41:52 localhost dbus[8700]: [system] Successfully activated service 'org.freedesktop.problems'
Jul 24 09:41:59 localhost systemd-logind: Removed session 6119.
Jul 24 09:42:13 localhost systemd-logind: Removed session 6117.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_START Starting lease file cleanup
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_PROCESSING Previous file: /usr/local/kea/var/kea/kea-leases6.csv.2, copy file: /usr/local/kea/var/kea/kea-leases6.csv.1
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC.dhcpsrv] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /usr/local/kea/var/kea/kea-leases6.csv.2
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC.dhcpsrv] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /usr/local/kea/var/kea/kea-leases6.csv.1
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_READ_STATS Leases: 0, attempts: 2, errors: 0.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_WRITE_STATS Leases: 0, attempts: 0, errors: 0.
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_ROTATING LFC rotating files
Jul 24 09:45:33 localhost DhcpLFC: INFO [DhcpLFC] LFC_TERMINATE LFC finished processing
Jul 24 09:46:17 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.146.1.66#53
Jul 24 09:46:18 localhost named[20102]: timed out resolving 'PC-20181106YLYQ.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:47:47 localhost named[20102]: timed out resolving 'jprx.m.qq.com/A/IN': 219.146.1.66#53
Jul 24 09:50:02 localhost systemd: Created slice User Slice of root.
Jul 24 09:50:02 localhost systemd: Started Session 6120 of user root.
Jul 24 09:50:02 localhost systemd: Removed slice User Slice of root.
Jul 24 09:50:11 localhost named[20102]: timed out resolving 'wpad.DHCP\032HOST/A/IN': 219.147.1.66#53
Jul 24 09:52:32 localhost named[20102]: timed out resolving '2.5.8.2.d.7.9.0.8.e.5.5.3.4.5.4.6.4.1.3.4.e.2.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:52:33 localhost named[20102]: timed out resolving '2.5.8.2.d.7.9.0.8.e.5.5.3.4.5.4.6.4.1.3.4.e.2.8.7.0.8.8.9.0.4.2.ip6.arpa/PTR/IN': 219.147.1.66#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 202.102.128.68#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 202.102.128.68#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 219.147.1.66#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 219.147.1.66#53
Jul 24 09:54:12 localhost named[20102]: DNS format error from 219.146.1.66#53 resolving 184.123.207.140.in-addr.arpa/PTR for client 172.31.0.254#47907: non-improving referral
Jul 24 09:54:12 localhost named[20102]: FORMERR resolving '184.123.207.140.in-addr.arpa/PTR/IN': 219.146.1.66#53
Jul 24 09:54:12 localhost named[20102]: resolver.c:4932: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
Jul 24 09:54:12 localhost named[20102]: exiting (due to assertion failure)
```
then it died.
my configurations about bind are below:
```
named.conf:
acl "trusted"{
127.0.0.1/32;
218.57.138.208/28;
58.56.105.64/28;
192.168.0.0/16;
172.0.0.0/8;
173.0.0.0/8;
174.20.0.0/16;
193.0.0.0/8;
10.4.0.0/18;
};
#logging {
# channel query_log {
# file "query.log" versions 5 size 20m;
# #severity info;
# severity debug 10;
# print-time yes;
# print-category yes;
# };
# category queries {
# query_log;
# };
#};
options {
version "DNSSERVER1.1.1";
directory "/etc/named";
listen-on {172.31.0.215;127.0.0.1;};
forwarders {202.102.128.68;219.146.1.66;219.147.1.66;};
forward first;
#forward only;
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
recursion no;
allow-recursion {none;};
dnssec-enable no;
dnssec-validation no;
};
controls {
inet 127.0.0.1 port 953 allow {localhost;} keys {rndc_key;};
};
include "/etc/rndc.key";
view "internal" {
match-clients {trusted;};
recursion yes;
allow-recursion {trusted;};
#match-clients {any;};
#allow-recursion {any;};
zone "mydomain.com" {
type master;
file "db.mydomain.in";
};
zone "0.0.127.in-addr.arpa"{
type master;
file "db.127.0.0";
allow-update {none;};
allow-query {none;};
};
zone "138.57.218.in-addr.arpa"{
type master;
file "db.218.57.138";
};
zone "localhost" {
type master;
file "db.local";
};
zone "." {
type hint;
file "db.root";
};
};
view "external" {
match-clients {any;};
recursion no;
allow-recursion {none;};
zone "mydomain.com" {
type master;
file "db.mydomain.ex";
};
zone "138.57.218.in-addr.arpa"{
type master;
file "db.218.57.138";
};
zone "105.56.58.in-addr.arpa"{
type master;
file "db.58.56.105";
};
};
```
```
db.218.57.
TTL 600 ; 1 hour
138.57.218.in-addr.arpa IN SOA ns3.mydomain.com dns.mydomain.com. (
18 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
3600 ; minimum (1 hour)
)
NS ns1.mydomain.com.
NS ns2.mydomain.com.
NS ns3.mydomain.com.
$ORIGIN 138.57.218.in-addr.arpa.
211 PTR ns1.mydomain.com.
212 PTR ns2.mydomain.com.
217 PTR ns3.mydomain.com.
213 PTR www.mydomain.com.
214 PTR mail.mydomain.com.
215 PTR ftp.mydomain.com.
215 PTR go.mydomain.com.
217 PTR net.mydomain.com.
```
bind9 run in chroot mode:
`/usr/local/bind/sbin/named -4 -c /etc/named.conf -t /chroot/named -u named`
any else infomation i can offer,please tell me if necessary.
Best regards,
21848706@qq.com
thanks a lot !
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwardersOctober 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1051[CVE-2019-6476] Bind randomly goes nuts with critical: exiting (due to assert...2019-10-16T21:10:10ZGhost User[CVE-2019-6476] Bind randomly goes nuts with critical: exiting (due to assertion failure)**Linux version 4.14.47-64.38.amzn2.x86_64 (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP**
**bind9.14.2**
general: critical: resolver.c:4908: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: criti...**Linux version 4.14.47-64.38.amzn2.x86_64 (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP**
**bind9.14.2**
general: critical: resolver.c:4908: INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain)) failed
general: critical: exiting (due to assertion failure)
### Summary
(Summarize the bug encountered concisely.)
### BIND version used
BIND 9.14.2 (Stable Release) <id:7a62b30>
running on Linux x86_64 4.14.114-103.97.amzn2.x86_64 #1 SMP Sun Apr 28 03:59:40 UTC 2019
built by make with '-prefix=/var/named' '--enable-threads' '--enable-epoll' '--enable-fetchlimi' '--disable-openssl-version-check' '--with-dlz-filesystem'
compiled by GCC 7.3.1 20180303 (Red Hat 7.3.1-5)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /var/named/etc/named.conf
rndc configuration: /var/named/etc/rndc.conf
DNSSEC root key: /var/named/etc/bind.keys
nsupdate session key: /var/named/var/run/named/session.key
named PID file: /var/named/var/run/named/named.pid
named lock file: /var/named/var/run/named/named.lock
### Steps to reproduce
After the program has been running for some time
### What is the current *bug* behavior?
Bind randomly goes nuts with critical: exiting (due to assertion failure)
### What is the expected *correct* behavior?
(What you should see instead.)
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)
/label ~bug
### Incident tracking page
https://wiki.isc.org/bin/view/Main/SecurityIncidentChecklist20196476QminAndForwarders
October 2019 (9.11.12, 9.14.7, 9.15.5)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1043cppcheck-detected code issues2019-10-02T12:27:39ZStephen Morriscppcheck-detected code issuesA number of issues were detected in commit efff347f969cb9cdf8c520d2d393bbf6f61a2dcb on May 21. Those which don't appear to be down to things like cppcheck not noticing that a REQUIRE has already checked for a pointer being non-null are:
...A number of issues were detected in commit efff347f969cb9cdf8c520d2d393bbf6f61a2dcb on May 21. Those which don't appear to be down to things like cppcheck not noticing that a REQUIRE has already checked for a pointer being non-null are:
**lib/irs/win32/resconf.c(35)**
Variable 'keyFound' is assigned a value that is never used.
**lib/isc/tests/mem_test.c(410)**
Variable 'f' is assigned a value that is never used.
**lib/isc/tests/mem_test.c(531)**
Variable 'size' is assigned a value that is never used.
**lib/isc/unix/net.c(399)**
Unused variable: flags.
**lib/isc/win32/app.c(83)**
Unused variable: result.
**lib/isc/win32/app.c(169)**
Variable 'pHandles' is assigned a value that is never used.
**lib/isc/win32/socket.c(2478)**
Unused variable: result.
**lib/samples/nsprobe.c(110-115)**
A number of fields in the lcl_stat structure have the same name as the query_result_t enum constants and cppcheck complains that "Variable 'XXX' hides enumerator with same name".
The full cppcheck output can be found on Jenkins [here](https://jenkins.isc.org/view/BIND/job/bind9-cpp-check/409/cppcheckResult).October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/846dig cannot display ACE query if locale is not unicode2019-10-02T12:20:57ZPetr Menšíkdig cannot display ACE query if locale is not unicode### Summary
If system has no locales built or current language does not allow conversion from ACE, dig currently fails with fatal error.
Reported to RH Bugzilla [Bug #1647829](https://bugzilla.redhat.com/show_bug.cgi?id=1647829).
### ...### Summary
If system has no locales built or current language does not allow conversion from ACE, dig currently fails with fatal error.
Reported to RH Bugzilla [Bug #1647829](https://bugzilla.redhat.com/show_bug.cgi?id=1647829).
### BIND version used
```
BIND 9.13.5 (Development Release) <id:14d48a9b69>
running on Linux x86_64 4.20.3-200.fc29.x86_64 #1 SMP Thu Jan 17 15:19:35 UTC 2019
built by make with '--enable-exportlib' '--with-libtool' '--with-dlopen' '--with-libidn2' '--without-lmdb' '--with-atf=/usr' '--enable-threads' 'CFLAGS=-ggdb -O0'
compiled by GCC 8.2.1 20181215 (Red Hat 8.2.1-6)
compiled with OpenSSL version: OpenSSL 1.1.1a FIPS 20 Nov 2018
linked to OpenSSL version: OpenSSL 1.1.1a FIPS 20 Nov 2018
compiled with libxml2 version: 2.9.8
linked to libxml2 version: 20908
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
```
### Steps to reproduce
```
LANG=C bin/dig/dig -t NS $(idn2 háčkyčárky.cz)
LANG=C dig NS xn--cg4bki.
```
### What is the current *bug* behavior?
```
dig: Cannot represent 'xn--hkyrky-ptac70bc.cz' in the current locale (string encoding error), use +noidnout or a different locale
```
### What is the expected *correct* behavior?
Dig should output any valid form. ACE is not user friendly, but far better than fatal error and usage of custom parameter.
```
; <<>> DiG 9.13.5 <<>> -t NS xn--hkyrky-ptac70bc.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51221
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xn--hkyrky-ptac70bc.cz. IN NS
;; ANSWER SECTION:
xn--hkyrky-ptac70bc.cz. 695 IN NS b.ns.xn--hkyrky-ptac70bc.cz.
xn--hkyrky-ptac70bc.cz. 695 IN NS a.ns.xn--hkyrky-ptac70bc.cz.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 29 18:17:50 CET 2019
;; MSG SIZE rcvd: 86
```
```; <<>> DiG 9.13.5 <<>> NS xn--cg4bki.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9699
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xn--cg4bki. IN NS
;; ANSWER SECTION:
xn--cg4bki. 86383 IN NS ns1.xn--cg4bki.centralnic-dns.com.
xn--cg4bki. 86383 IN NS ns2.xn--cg4bki.centralnic-dns.com.
xn--cg4bki. 86383 IN NS ns3.xn--cg4bki.centralnic-dns.com.
xn--cg4bki. 86383 IN NS c.xn--cg4bki.dyntld.net.
xn--cg4bki. 86383 IN NS ns4.xn--cg4bki.centralnic-dns.com.
xn--cg4bki. 86383 IN NS d.xn--cg4bki.dyntld.net.
xn--cg4bki. 86383 IN NS a.xn--cg4bki.dyntld.net.
xn--cg4bki. 86383 IN NS b.xn--cg4bki.dyntld.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 29 18:43:59 CET 2019
;; MSG SIZE rcvd: 225
```
### Relevant configuration files
Just compile --with-libidn2
### Possible fixes
dig would just fall back to ASCII, which he already verified is working. Preserves compatibility with disabled IDN in this case, no matter what locale is used.October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/414Legal issue with pkcs11 headers2020-03-02T09:44:08ZPetr MenšíkLegal issue with pkcs11 headersHi!
I was reviewing our package licensing and lib/isc/includes/pkcs11/pkcs*.h headers came to my eyes. Their license seems to be quite restrictive. Have you reviewed its license before adding it to bind 9.11? Do you believe it is compat...Hi!
I was reviewing our package licensing and lib/isc/includes/pkcs11/pkcs*.h headers came to my eyes. Their license seems to be quite restrictive. Have you reviewed its license before adding it to bind 9.11? Do you believe it is compatible with Mozilla Public License used for sources? I am not lawyer, but it seems it might not be compatible.
As a coincidence, similar file from OpenJDK was discussed on [Fedora Legal mailing list](https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/2QXHMTZ47DMMARJVI6PUMSYUPVFAGLCV/) few days ago. Apparently it is the same file BIND also distributes.
I know you support Windows builds where such functionality is important. Do you have any reason why headers from p11-kit are not used instead?
Marking as private issue.October 2019 (9.11.12, 9.14.7, 9.15.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/327Make the Windows builds parallel2019-10-02T12:21:53ZOndřej SurýMake the Windows builds parallelApparently the nmake has capability to run builds in parallel, we just haven't enable such option. Unfortunately, my knowledge of VS build system is at the "random monkeys smashing keyboard buttons", so unless the search engine results ...Apparently the nmake has capability to run builds in parallel, we just haven't enable such option. Unfortunately, my knowledge of VS build system is at the "random monkeys smashing keyboard buttons", so unless the search engine results help, somebody will need to look into this in more detail.
The parametrized win64 build now has something like `set CL=/MP`, so we'll see.October 2019 (9.11.12, 9.14.7, 9.15.5)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/147Add Windows to GitLab CI2022-11-10T14:18:14ZOndřej SurýAdd Windows to GitLab CIOctober 2019 (9.11.12, 9.14.7, 9.15.5)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1306Release Checklist for BIND 9.11.13, BIND 9.11.13-S1, BIND 9.14.8, BIND 9.15.62019-11-21T10:19:52ZMichał KępieńRelease Checklist for BIND 9.11.13, BIND 9.11.13-S1, BIND 9.14.8, BIND 9.15.6**Public Release:** Wednesday, November 20th, 2019
## Release Checklist
## 2 Working Days Before the Tagging Deadline
- [x] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [x] ***(QA)*** Ens...**Public Release:** Wednesday, November 20th, 2019
## Release Checklist
## 2 Working Days Before the Tagging Deadline
- [x] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [x] ***(QA)*** Ensure that there are no outstanding merge requests in the private repository[^1] (Subscription Edition only).
## Before the Tagging Deadline
- [x] ***(QA)*** Inform Support/Marketing of impending release (and give estimated release dates).
- [x] ***(QA)*** Check Perflab to ensure there has been no unexplained drop in performance for the versions being released.
- [x] ***(SwEng)*** Update API files for libraries with new version information.
- [x] ***(SwEng)*** Change software version and library versions in `configure.ac` (new major release only).
- [x] ***(SwEng)*** Rebuild `configure` using Autoconf on `docs.isc.org`.
- [x] ***(SwEng)*** Update `CHANGES`.
- [x] ***(SwEng)*** Update `CHANGES.SE` (Subscription Edition only).
- [x] ***(SwEng)*** Update `README.md`.
- [x] ***(SwEng)*** Update `version`.
- [x] ***(SwEng)*** Build documentation on `docs.isc.org`.
- [x] ***(QA)*** Check that all the above steps were performed correctly.
- [x] ***(QA)*** Check that the contents of release notes match the merge requests comprising the releases.
- [x] ***(QA)*** Check that the formatting is correct for text, PDF, and HTML versions of release notes.
- [x] ***(SwEng)*** Tag the releases[^2]. (Tags may only be pushed to the public repository for releases which are *not* security releases.)
- [x] ***(SwEng)*** If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` to allow development to continue on the maintenance branch whilst release engineering continues.
## Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
- [x] ***(QA)*** Run the `make release` Jenkins jobs to produce the tarballs and zips.
- [x] ***(QA)*** Verify the results of `make release` Jenkins jobs and prepare a QA report for the releases to be published.
- [x] ***(QA)*** Request signatures for the tarballs.
- [x] ***(Signers)*** Sign the tarballs.
- [x] ***(QA)*** Check tarball signatures.
- [x] ***(QA)*** Notify Support that the releases are ready for publication.
- [x] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- [x] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
- [x] ***(Support)*** Send out ASNs (if applicable).
## On the Day of Public Release
- [x] ***(Support)*** Publish the releases according to the release schedule.
- [x] ***(Support)*** Write release email to *bind9-announce*.
- [x] ***(Support)*** Write email to *bind9-users* (if a major release).
- [x] ***(Support)*** Update tickets in case of waiting support customers.
- [x] ***(QA)*** Build and test any outstanding private packages.
- [x] ***(QA)*** Build public packages (`*.deb`, RPMs).
- [x] ***(QA)*** Inform Marketing of the release.
- [x] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- [x] ***(Marketing)*** Post short note to Twitter.
- [x] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- [x] ***(Marketing)*** Write blog article (if a major release).
- [x] ***(QA)*** Ensure all new tags are annotated and signed.
- [x] ***(SwEng)*** Push tags for the published releases to the public repository.
- [x] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
[^2]: Preferred command line: `git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]`, where `[alphatag]` is an optional string such as `b1`, `rc1`, etc.November 2019 (9.11.13, 9.14.8, 9.15.6)Michal NowakMichal Nowak2019-11-20https://gitlab.isc.org/isc-projects/bind9/-/issues/1298sys/sysctl.h header is now deprecated2019-11-06T20:13:18ZWitold Krecickisys/sysctl.h header is now deprecatedNovember 2019 (9.11.13, 9.14.8, 9.15.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/1288Log DNS_R_UNCHANGED from sync_secure_journal at info level in receive_secure_...2019-11-05T10:58:33ZMark AndrewsLog DNS_R_UNCHANGED from sync_secure_journal at info level in receive_secure_serial.ISC_LOG_ERROR is to high for this case.ISC_LOG_ERROR is to high for this case.November 2019 (9.11.13, 9.14.8, 9.15.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/1281dnstap per view configuration2019-11-05T10:58:37ZGhost Userdnstap per view configuration### Summary
I'm upgrading from 9.14.2 to 9.14.7 but commit a4f38bec no longer permits dnstap per view configuration
### BIND version used
```
BIND 9.14.7 (Stable Release) <id:d410de0>
running on Linux x86_64 3.10.0-1062.1.2.el7.x86_64...### Summary
I'm upgrading from 9.14.2 to 9.14.7 but commit a4f38bec no longer permits dnstap per view configuration
### BIND version used
```
BIND 9.14.7 (Stable Release) <id:d410de0>
running on Linux x86_64 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019
built by make with '--enable-full-report' '--sysconfdir=/usr/local/etc' '--localstatedir=/var' '--without-libtool' '--with-libxml2' '--with-libjson' '--with-zlib' '--with-lmdb' '--with-libidn2' '--disable-ipv6' '--enable-dnstap' 'CFLAGS=-march=native -O2 -pipe' 'PKG_CONFIG_PATH=PKG_CONFIG_PATH:/usr/local/lib/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with libjson-c version: 0.11
linked to libjson-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
```
### Steps to reproduce
```
options {
...
dnstap-output unix "/var/run/named/dnstap.sock";
dnstap-identity hostname;
...
};
view "default" {
match-destinations { x.x.x.x; x.x.x.x; };
};
view "umbrella"{
match-destinations { y.y.y.y; y.y.y.y; };
dnstap { client response; };
};
```
### What is the current *bug* behavior?
named-checkconf reports: '**dnstap-output' must be set if 'dnstap' is set**'
### What is the expected *correct* behavior?
named-checkconf can parse the configuration.
Putting dnstap-output in the view configuration you get this error: '**unknown option 'dnstap-output'**'
### Relevant configuration files
```
options {
...
dnstap-output unix "/var/run/named/dnstap.sock";
dnstap-identity hostname;
...
};
view "default" {
match-destinations { x.x.x.x; x.x.x.x; };
};
view "umbrella"{
match-destinations { y.y.y.y; y.y.y.y; };
dnstap { client response; };
};
```
### Relevant logs and/or screenshots
### Possible fixes
Removing commit a4f38bec solve the problem.November 2019 (9.11.13, 9.14.8, 9.15.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1275EDNS0 CLIENT-SUBNET not working with GeoIP22022-01-27T12:28:57ZLeonid VasilievEDNS0 CLIENT-SUBNET not working with GeoIP2### Summary
We updated one server (geons1) with bind 9.11.11 witch was build with GeoIPv1 to bind 9.11.11 with GeoIPv2.
Our monitoring system use EDNS0 CLIENT-SUBNET extension for check right answers. These both servers use the same con...### Summary
We updated one server (geons1) with bind 9.11.11 witch was build with GeoIPv1 to bind 9.11.11 with GeoIPv2.
Our monitoring system use EDNS0 CLIENT-SUBNET extension for check right answers. These both servers use the same configuration.
On a server with bind 9.11.11 + GeoIP2 stopped working EDNS0 CLIENT-SUBNET extension.
### BIND version used
```
geons1# named -V
BIND 9.11.11 (Extended Support Version) <id:4ae9ff1>
running on FreeBSD amd64 11.3-RELEASE-p3 FreeBSD 11.3-RELEASE-p3 #0: Mon Aug 19 21:08:43 UTC 2019 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-gost=no' '--without-python' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--with-geoip2' '--without-gssapi' '--without-libidn2' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--without-lmdb' '--disable-native-pkcs11' '--disable-querytrace' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--with-openssl=/usr' '--enable-threads' '--with-tuning=large' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=clang' 'CFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-isystem /usr/local/include' 'CPP=clang-cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
compiled with OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018
linked to OpenSSL version: OpenSSL 1.0.2s-freebsd 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
```
### Steps to reproduce
Wrong case, bind use source IP, geons1 (bind911 with GeoIPv2, answer 127.0.0.100, view RUSSIA):
```
17-Oct-2019 15:10:20.151 client @0x802e71400 91.103.XX.XX#14982 (chk.geo.example.com): view RUSSIA: query: chk.geo.example.com IN A +E(0)K (4.53.XX.XX)
lvv@icinga:~ % dig chk.geo.example.com +subnet=80.239.174.1 @geons1
; <<>> DiG 9.14.6 <<>> chk.geo.example.com +subnet=80.239.174.1 @geons1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bfcd99141f0e8169e1a87dca5da859a11d53561203d948cb (good)
; CLIENT-SUBNET: 80.239.174.1/32/21
;; QUESTION SECTION:
;chk.geo.example.com. IN A
;; ANSWER SECTION:
chk.geo.example.com. 60 IN A 127.0.0.100
```
Right case, bind use IP from CLIENT-SUBNET, geons6 (bind911 with GeoIPv1, answer 127.0.0.101, view EUROPE):
```
17-Oct-2019 15:14:14.579 client @0x802e71e00 91.103.XX.XX#38833 (chk.geo.example.com): view EUROPE: query: chk.geo.example.com IN A +E(0)K (130.117.XX.XX)
lvv@icinga:~ % dig chk.geo.example.com +subnet=80.239.174.1 @geons6
; <<>> DiG 9.14.6 <<>> chk.geo.example.com +subnet=80.239.174.1 @geons6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44312
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2f1fa0472b16ae834c16f3435da859b66f3a821891e5b404 (good)
; CLIENT-SUBNET: 80.239.174.1/32/24
;; QUESTION SECTION:
;chk.geo.example.com. IN A
;; ANSWER SECTION:
chk.geo.example.com. 60 IN A 127.0.0.101
```November 2019 (9.11.13, 9.14.8, 9.15.6)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1258CentOS 8 COPR builds2019-11-05T10:59:39ZGhost UserCentOS 8 COPR buildsNow that CentOS 8 is available and supported by COPR, please enable builds on CentOS 8.Now that CentOS 8 is available and supported by COPR, please enable builds on CentOS 8.November 2019 (9.11.13, 9.14.8, 9.15.6)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1244CI not running IPv6 test portions2019-11-05T11:02:33ZMichal NowakCI not running IPv6 test portions### Summary
Out CI tests are have 16 times "IPv6 unavailable; skipping", e.g:
```
I:digdelv:IPv6 unavailable; skipping
I:digdelv:checking dig @IPv4addr -6 +mapped A a.example (26)
I:digdelv:IPv6 or IPv4-to-IPv6 mapping unavailable; ski...### Summary
Out CI tests are have 16 times "IPv6 unavailable; skipping", e.g:
```
I:digdelv:IPv6 unavailable; skipping
I:digdelv:checking dig @IPv4addr -6 +mapped A a.example (26)
I:digdelv:IPv6 or IPv4-to-IPv6 mapping unavailable; skipping
I:digdelv:checking dig +tcp @IPv4addr -6 +nomapped A a.example (27)
I:digdelv:IPv6 unavailable; skipping
I:digdelv:checking dig +notcp @IPv4addr -6 +nomapped A a.example (28)
I:digdelv:IPv6 unavailable; skipping
I:digdelv:checking dig +subnet (29)
```
See, e.g. https://gitlab.isc.org/isc-projects/bind9/-/jobs/333501.
I see this in CI jobs from beginning of September, so this is not a new thing.
The reason probably being, that our CI hosts do not have IPv6 networking set properly (e.g. using documentation prefix and probably other things are wrong or missing there):
```
root@gitlab-ci-07:~# cat /etc/docker/daemon.json
{ "ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64" }
```
### BIND version used
`HEAD`
### Steps to reproduce
Just open any System job in CI and look for "IPv6 unavailable; skipping" in the log.November 2019 (9.11.13, 9.14.8, 9.15.6)