BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2024-02-07T16:19:55Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4550Resolve license aggregation for "reuse lint"2024-02-07T16:19:55ZMichal NowakResolve license aggregation for "reuse lint"`reuse lint` in the [`reuse`](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3976938) CI job has a lot of deprecation warnings about license aggregation in our repo:
```
/opt/venv/lib/python3.11/site-packages/reuse/project.py:286: Pen...`reuse lint` in the [`reuse`](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3976938) CI job has a lot of deprecation warnings about license aggregation in our repo:
```
/opt/venv/lib/python3.11/site-packages/reuse/project.py:286: PendingDeprecationWarning: Copyright and licensing
information for 'COPYRIGHT' has been found in both 'COPYRIGHT' and in the DEP5 file located at '.reuse/dep5'.
The information for these two sources has been aggregated. In the future this behaviour will change, and you will
need to explicitly enable aggregation. See <https://github.com/fsfe/reuse-tool/issues/779>. You need do nothing
yet. Run with `--suppress-deprecation` to hide this warning.
...
```Not plannedOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4549heap-use-after-free lib/isccc/ccmsg.c:160 in ccmsg_senddone2024-03-08T07:52:43ZMichal Nowakheap-use-after-free lib/isccc/ccmsg.c:160 in ccmsg_senddoneJob [#3977008](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3977008) failed for 6b00e831e1f7dad6c02766721f3f921935f9d82d in the `shutdown` system test.
```
WARNING: ThreadSanitizer: heap-use-after-free
Write of size 8 at 0x0000000...Job [#3977008](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3977008) failed for 6b00e831e1f7dad6c02766721f3f921935f9d82d in the `shutdown` system test.
```
WARNING: ThreadSanitizer: heap-use-after-free
Write of size 8 at 0x000000000001 by main thread:
#0 ccmsg_senddone lib/isccc/ccmsg.c:160 (BuildId: d832ce616f43e7826d71895c29b8d1a636594d28)
#1 isc___nm_sendcb netmgr/netmgr.c:1882 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#2 isc__job_cb lib/isc/job.c:78 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#3 uv__run_idle /usr/src/libuv-v1.47.0/src/unix/loop-watcher.c:68 (BuildId: 073e85ad3e8928fc579b193a4ac75e2ebba7da2f)
#4 thread_body lib/isc/thread.c:85 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#5 isc_thread_main lib/isc/thread.c:116 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#6 isc_loopmgr_run lib/isc/loop.c:454 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#7 main bin/named/main.c:1574 (BuildId: 4133e9ffbbb7b06add829acea0965b1d834d5316)
Previous write of size 8 at 0x000000000001 by main thread:
#0 free <null> (BuildId: 732e44e7f1cd4f0f9ca7d27895a253bebdea6827)
#1 sdallocx lib/isc/jemalloc_shim.h:82 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#2 mem_put lib/isc/mem.c:328
#3 isc__mem_put lib/isc/mem.c:692
#4 conn_free bin/named/controlconf.c:597 (BuildId: 4133e9ffbbb7b06add829acea0965b1d834d5316)
#5 controlconnection_unref bin/named/controlconf.c:200
#6 controlconnection_detach bin/named/controlconf.c:200 (BuildId: 4133e9ffbbb7b06add829acea0965b1d834d5316)
#7 control_senddone bin/named/controlconf.c:284 (BuildId: 4133e9ffbbb7b06add829acea0965b1d834d5316)
#8 ccmsg_senddone lib/isccc/ccmsg.c:159 (BuildId: d832ce616f43e7826d71895c29b8d1a636594d28)
#9 isc___nm_sendcb netmgr/netmgr.c:1882 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#10 isc__job_cb lib/isc/job.c:78 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#11 uv__run_idle /usr/src/libuv-v1.47.0/src/unix/loop-watcher.c:68 (BuildId: 073e85ad3e8928fc579b193a4ac75e2ebba7da2f)
#12 thread_body lib/isc/thread.c:85 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#13 isc_thread_main lib/isc/thread.c:116 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#14 isc_loopmgr_run lib/isc/loop.c:454 (BuildId: e8eda90bc85b7cc4a5338c8afd79fad6b27213e4)
#15 main bin/named/main.c:1574 (BuildId: 4133e9ffbbb7b06add829acea0965b1d834d5316)
SUMMARY: ThreadSanitizer: heap-use-after-free lib/isccc/ccmsg.c:160 in ccmsg_senddone
```
We had a similar issue #4501 before.March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4547Add support for nginx load balancing with “X-Real-IP”2024-01-24T11:56:31ZMr BenAdd support for nginx load balancing with “X-Real-IP”### Description
When I use doh, I hope bind can be deployed behind nginx and also be able to identify the client source IP. I have some views, and the policies of these views are judged based on the source IP.
This is not currently supp...### Description
When I use doh, I hope bind can be deployed behind nginx and also be able to identify the client source IP. I have some views, and the policies of these views are judged based on the source IP.
This is not currently supported. Perhaps X-Real-IP should be added to the header of http, and the IP can be passed to the dns module to make policy judgments instead of the source IP of the IP layer.
### Request
Perhaps X-Real-IP should be added to the header of http, and the IP can be passed to the dns module to make policy judgments instead of the source IP of the IP layer.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4546Cannot Compile - Invalid Regex Prevents Generation of Parsetab Module2024-01-23T22:35:43ZOleg SCannot Compile - Invalid Regex Prevents Generation of Parsetab Module<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confident...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confidential by clicking the checkbox at the bottom!
-->
### Summary
The Bind project (version 9.16.23) cannot be compiled due to regex
issues in the `bin/python/isc/policy.py` file.
Here is the output generated when running `make`:
### BIND version affected
9.16.23
### Steps to reproduce
1. On a Fedora 39 system (this probably applies beyond Fedora 39, too), with Python 3.12.1 installed,
simply clone the source code of the repo corresponding to
version 9.16.23.
2. Run `./configure` and ensure that it completes successfully
3. Run `make`
### What is the current *bug* behavior?
Make finishes prematurely because it cannot find the `parsetab` module.
### What is the expected *correct* behavior?
Make should be able to run the Python script and generate the `parsetab` module
successfully.
### Relevant configuration files
n/a
### Relevant logs
Here is the output of `make`:
```
/usr/bin/python policy.py parse /dev/null > /dev/null
ERROR: /home/olegs/Programming/cve-gen-ai/FixMorph/experiments/bind-backports/bind/bind-9.16.23/bin/python/isc/policy.py:63: Invalid regular expression for rule 't_DATESUFFIX'. missing -, : or ) at position 20
ERROR: /home/olegs/Programming/cve-gen-ai/FixMorph/experiments/bind-backports/bind/bind-9.16.23/bin/python/isc/policy.py:68: Invalid regular expression for rule 't_KEYTYPE'. global flags not at the start of the expression at position 14
ERROR: /home/olegs/Programming/cve-gen-ai/FixMorph/experiments/bind-backports/bind/bind-9.16.23/bin/python/isc/policy.py:73: Invalid regular expression for rule 't_ALGNAME'. global flags not at the start of the expression at position 14
PYTHONPATH=. /usr/bin/python -m parsetab
/usr/bin/python: No module named parsetab
make[3]: *** [Makefile:457: parsetab.py] Error 1
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4545Flamethrower DoH queries timeout with BIND on FreeBSD2024-03-04T16:12:33ZMichal NowakFlamethrower DoH queries timeout with BIND on FreeBSDIn "stress" CI jobs, we run three types of scenarios where we send thousands of UDP and TCP queries per second to an authoritative, recursive, or recursive RPZ server. Each scenario runs on Linux amd64, Linux arm64, and FreeBSD 12.4 amd6...In "stress" CI jobs, we run three types of scenarios where we send thousands of UDP and TCP queries per second to an authoritative, recursive, or recursive RPZ server. Each scenario runs on Linux amd64, Linux arm64, and FreeBSD 12.4 amd64 platforms. For a long time, I have tried to add support for DoT and DoH, and with the adoption of AWS for CI, this is now possible.
The major problem now is that there's something wrong with BIND-Flamethrower cooperation for DoH queries on FreeBSD 12.4 for all scenarios (authoritative, recursive, and recursive with RPZ). The problem is that Flamethrower 0.12 from upstream Git `master` - run on FreeBSD in CI or Linux in my local environment - never gets answers to DoH queries from BIND on FreeBSD (DoH on BIND on Linux is fine; DoT, TCP, and UDP on FreeBSD are fine as well). 100% of queries are timeouted. During the Flamethrower runtime, in the BIND `-d 99` log, there is only a lot of lines like this: `22-Jan-2024 14:39:14.040 socket 0x8030df800: TLS server session created for 192.168.122.1#43511 on 192.168.122.73#4430`. However, the query does not seem to be processed in any way. It gets processed fine when sent by `dig +https`.
See job [#3956703](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3956703) for logs and config files.
Here's a 10-second PCAP (`tcpdump port 4430 -i vtnet0`) from my local environment: [cap.pcap](/uploads/5b4bfee595db99cb92b220ce97eff697/cap.pcap).
Flamethrower output with 100% of timeouted queries:
<details><summary>Click to expand</summary>
```
/usr/local/bin/flame --dnssec -P doh -F inet -g file -f ~/Downloads/fbsddoh/query_datafile -Q 1 -p 4430 192.168.122.73
WARNING: QPS limit is less than concurrent senders, changing limit to 30
binding traffic generators to 0.0.0.0
flaming target(s) [192.168.122.73] on port 4430 with 30 concurrent generators, each sending 100 queries every 1000ms on protocol doh
query generator [file] contains 105000 record(s)
rate limit @ 30 QPS (1 QPS per concurrent sender)
1.1768e-05s: send: 0, avg send: 0, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 0, timeouts: 0
1.00012s: send: 0, avg send: 0, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 0, timeouts: 0
2.00152s: send: 30, avg send: 30, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 30, timeouts: 0
3.00237s: send: 0, avg send: 30, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 30, timeouts: 0
4.00255s: send: 0, avg send: 30, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 30, timeouts: 0
5.00297s: send: 90, avg send: 60, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 30
6.00343s: send: 0, avg send: 60, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 0
7.00418s: send: 0, avg send: 60, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 0
8.00446s: send: 90, avg send: 70, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 90
9.00494s: send: 0, avg send: 70, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 0
10.0056s: send: 0, avg send: 70, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 0
11.0064s: send: 90, avg send: 75, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 90
^C11.1595s: send: 0, avg send: 75, recv: 0, avg recv: 0, min/avg/max resp: 0/-nan/0ms, in flight: 90, timeouts: 0
stopping, waiting up to 3s for in flight to finish...
------
run id : 7ffd5c99e030
run start : 2024-01-22T16:41:23Z
runtime : 14.1608 s
total sent : 300
total rcvd : 0
min resp : 0 ms
avg resp : -nan ms
max resp : 0 ms
avg r qps : 0
avg s qps : 75
avg pkt : 35.3258 bytes
tcp conn. : 568
timeouts : 300 (100%)
bad recv : 0
net errors : 0
```
</details>
BIND config file:
<details><summary>Click to expand</summary>
```
http local {
endpoints { "/dns-query"; };
};
options {
port 5300;
listen-on port 5300 { 10.53.0.2; };
listen-on-v6 port 5300 { fd92:7065:b8e:ffff::2; };
listen-on port 8530 tls ephemeral { 10.53.0.2; }; // DoT IPv4
listen-on-v6 port 8530 tls ephemeral { fd92:7065:b8e:ffff::2; }; // DoT IPv6
listen-on port 4430 tls ephemeral http local { 10.53.0.2; }; // DoH IPv4
listen-on port 4430 tls ephemeral http local { 192.168.122.73; }; // DoH IPv4
listen-on-v6 port 4430 tls ephemeral http local { fd92:7065:b8e:ffff::2; }; // DoH IPv6
#directory "/var/tmp/gitlab_runner/builds/e-TSUMFs/0/isc-projects/bind9/output/ns2";
allow-query { any ; };
query-source address 10.53.0.2;
pid-file "named.pid";
recursion no;
tcp-clients 50;
statistics-file "named.stats";
};
statistics-channels {
inet 10.53.0.2 port 5308 allow { any; };
};
key "rndc-key" {
algorithm hmac-sha256;
secret "G+hIujn1FwNv1QgEWLrzN8ZXodAHzciE7tMSYDIiw54=";
};
controls {
inet 10.53.0.2 port 5309
allow { any; } keys { "rndc-key"; };
};
include "trusted-keys.conf";
view "default" {
zone "." {
type hint;
file "root.hint";
};
zone "test.example." in {
type master ;
file "test.example.db.signed";
};
};
logging {
channel "namedlog" {
file "named.log" versions 5 size 50M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" {
"namedlog";
};
};
```
</details>
The `query_datafile` file is in the CI job artifact.March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4544"primaries" block documentation issues2024-01-23T15:27:16ZRay Bellis"primaries" block documentation issuesI'm finding the documentation of the "primaries" block confusing.
The ARM claims a `primaries` zone setting is only permissible within mirror, redirect, secondary and stub zones. However I've been using them at least a couple of years ...I'm finding the documentation of the "primaries" block confusing.
The ARM claims a `primaries` zone setting is only permissible within mirror, redirect, secondary and stub zones. However I've been using them at least a couple of years within the `also-notify` section of primary zones.
There's no direct mention of `primaries` in the grammar of an `also-notify` block. I _suspect_ that it's covered by `<remote-servers>` but the only link between `primaries` and `remote-servers` is this text in the glossary:
> remote-servers: A named list of one or more ip_addresses with optional tls_id, server_key, and/or port. A remote-servers list may include other remote-servers lists. See primaries block.
If in fact a `<remote-servers>` reference _is_ a (named) `primaries` list, then that ought to be spelled out more explicitly, and the documentation updated to reflect that this can be used in *any* `allow-notify` block in any applicable zone type.
I'd also suggest that the top level grammar ought to actually be called `xfer-servers` instead of `masters` and then that term used in place of `remote-servers` in the ARM. In the NOTIFY case the listed servers are secondaries, not primaries, and it makes no sense to call them primaries.
[`remote-servers` also causes confusion with `server <prefix> { }` used to specify per-server EDNS overrides, etc]Long-termMatthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4543Re-enable unreachable checks in dnssec system test2024-02-24T07:55:26ZTom KrizekRe-enable unreachable checks in dnssec system testIn https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8085, a premature [exit statement](https://gitlab.isc.org/isc-projects/bind9/-/blob/b54bdf8d78666d8dcc6d4e1ad74c4af0a130e1a8/bin/tests/system/dnssec/tests.sh#L3711) has been a...In https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8085, a premature [exit statement](https://gitlab.isc.org/isc-projects/bind9/-/blob/b54bdf8d78666d8dcc6d4e1ad74c4af0a130e1a8/bin/tests/system/dnssec/tests.sh#L3711) has been accidentally added to the `dnssec` test, making the remaining checks unreachable.May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Tom KrizekTom Krizekhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4542XoT: Primaries should be able to have different allow-transfer acls per trans...2024-01-22T13:10:56ZDave KnightXoT: Primaries should be able to have different allow-transfer acls per transport or ACLs should be extended with port and transport options### Description
We can restrict a primary to ONLY allow-transfer on a specific transport, e.g.
allow-transfer port 853 transport tls { acl_for_xot_clients; };
Unless I'm missing something, there's no way to have different rules per tr...### Description
We can restrict a primary to ONLY allow-transfer on a specific transport, e.g.
allow-transfer port 853 transport tls { acl_for_xot_clients; };
Unless I'm missing something, there's no way to have different rules per transport.
I want to require XoT for transfers over the Internet, but allow insecure AXFR to localnets.
It's not possible to have multiple allow-transfer definitions, i.e. this
allow-transfer port 53 transport tcp { acl_for_nonxot_clients; };
allow-transfer port 853 transport tls { acl_for_xot_clients; };
results in
'allow-transfer' redefined near 'allow-transfer'
And my understanding is that we can't refer to ports or transport in an acl.
### Request
Either allow multiple allow-transfer clauses, treating "allow transfer transport tcp" and "allow transfer transport tls" as different things, which can have their own acl specification, or add port and transport to the acl so that this can be controlled there.
### Links / referencesLong-termArtem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4541values of ruletype field for update-policy statement2024-03-08T05:30:58Zperlangvalues of ruletype field for update-policy statementOne document typo, version 9.18.21, doc/arm/reference.rst, line 7492,
It is only 18 values from the list.
```
The ruletype field has 20 values: ``name``, ``subdomain``, ``zonesub``,
``wildcard``, ``self``, ``selfsub``, ``selfwild``...One document typo, version 9.18.21, doc/arm/reference.rst, line 7492,
It is only 18 values from the list.
```
The ruletype field has 20 values: ``name``, ``subdomain``, ``zonesub``,
``wildcard``, ``self``, ``selfsub``, ``selfwild``, ``ms-self``,
``ms-selfsub``, ``ms-subdomain``, ``ms-subdomain-self-rhs``, ``krb5-self``,
``krb5-selfsub``, ``krb5-subdomain``, ``krb5-subdomain-self-rhs``,
``tcp-self``, ``6to4-self``, and ``external``.
```March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)https://gitlab.isc.org/isc-projects/bind9/-/issues/4540RFC 9471 DNS Glue Requirements in Referral Responses2024-02-08T10:27:45ZPeter DaviesRFC 9471 DNS Glue Requirements in Referral Responses[RFC 9471](https://www.rfc-editor.org/rfc/rfc9471.html) - DNS Glue Requirements in Referral Responses
It would be of help to users to implement RFC 9471 and allow BIND to reply TC=1 when
glue records would make a UDP reply larger than...[RFC 9471](https://www.rfc-editor.org/rfc/rfc9471.html) - DNS Glue Requirements in Referral Responses
It would be of help to users to implement RFC 9471 and allow BIND to reply TC=1 when
glue records would make a UDP reply larger than the maxium allowed.
3.2. Glue for Sibling Domain Name Servers
This document clarifes that when a name server generates a referral response, it
include all available glue records in the additional section. If, after adding glue for all in-domain
name servers, the glue for all sibling domain name servers does not ft due to message size
constraints, the name server set TC=1 but is not obligated to do so.BIND 9.19.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4539tsig key not found2024-01-17T16:59:20ZMichael N. Lipptsig key not foundTo be honest, I have doubts that this is a bug. But I don't have any other explanation.
I'm running v9.16.42.
I have defined a key in named.conf:
```
key "acme-dns01" {
algorithm hmac-sha256;
secret "+m8fujTWD3qb0LkJFP7...To be honest, I have doubts that this is a bug. But I don't have any other explanation.
I'm running v9.16.42.
I have defined a key in named.conf:
```
key "acme-dns01" {
algorithm hmac-sha256;
secret "+m8fujTWD3qb0LkJFP7HPCZAbLlWBMtwtbNPEkvAt7E=";
};
```
This has worked:
```
$ rndc tsig-list
view "Default"; type "static"; key "acme-dns01";
view "Default"; type "static"; key "local-ddns";
view "Default"; type "static"; key "rndc-key";
view "_bind"; type "static"; key "acme-dns01";
view "_bind"; type "static"; key "local-ddns";
view "_bind"; type "static"; key "rndc-key";
```
I'm using the key in a `grant` (but this doesn't really matter):
```
update-policy { grant acme-dns01 zonesub txt; };
```
When I try to make use of the "key:secret" using `nsupdate`, it is sent as expected:
```
;; TSIG PSEUDOSECTION:
acme-dns01. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1705509748 300 16 tcU/8lYs1VEPZfcM5C3hZw== 13850 NOERROR 0
```
But I get a `BADKEY` in the response, which means that the key is [unknown](https://bind9.readthedocs.io/en/v9.16.42/advanced.html#errors).
This information can also be found in the log:
```
| Jan 17 17:46:10 | named | 23910 | dnssec: debug 2: tsig key 'acme-dns01': unknown key
```
I couldn't find any additional required action to make the key known [in the manual](https://bind9.readthedocs.io/en/v9.16.42/reference.html#key-statement-definition-and-usage). It is defined globally and should be available in all views (and the output from tsig-list confirms this).
I consider it extremely unlikely that this problem has been unnoticed before. But on the other hand side, I have no idea why it doesn't work.https://gitlab.isc.org/isc-projects/bind9/-/issues/4538duplicate TLS session tickets from BIND2024-01-17T18:01:29ZPetr Špačekpspacek@isc.orgduplicate TLS session tickets from BIND### Summary
BIND sends **two** TLS session tickets in a row, in the same TCP frame. This looks like a bug. Probably no real-world impact except consuming a bit of extra bandwidth.
### BIND version affected
* ~"Affects v9.19" : e39b5447...### Summary
BIND sends **two** TLS session tickets in a row, in the same TCP frame. This looks like a bug. Probably no real-world impact except consuming a bit of extra bandwidth.
### BIND version affected
* ~"Affects v9.19" : e39b544704b98ddd8a19e317373b84ac74597f76 - noticed while testing !8646
* ~"Affects v9.18" : 071de1b5b54c27b1291bd97e3a95a93b1996eddc - isc-private/bind9!585
### Steps to reproduce
1. SSLKEYLOGFILE=/tmp/tlskeys /tmp/4527-improve-tls-framing-for-dot/sbin/named -g -c /tmp/named.conf
2. sudo tcpdump -i lo -w /tmp/tls.pcap 'port 853'
3. dig @127.0.0.1 +tls
- [tls.pcap](/uploads/e5836a9693d76f117c9e5c80f15cf2b1/tls.pcap)
- [tlskeys](/uploads/76d398d1c33b7eb90f4c7a14ff27a644/tlskeys)
### What is the current *bug* behavior?
For some reason BIND sends **two** TLS session tickets in a row, in the same TCP frame.
<details>
```
Frame 10: 608 bytes on wire (4864 bits), 608 bytes captured (4864 bits)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 853, Dst Port: 46779, Seq: 766, Ack: 476, Len: 542
Transport Layer Security
TLSv1.3 Record Layer: Handshake Protocol: New Session Ticket
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 266
[Content Type: Handshake (22)]
Handshake Protocol: New Session Ticket
Handshake Type: New Session Ticket (4)
Length: 245
TLS Session Ticket
Session Ticket Lifetime Hint: 7200 seconds (2 hours)
Session Ticket Age Add: 1399829672
Session Ticket Nonce Length: 8
Session Ticket Nonce: 0000000000000000
Session Ticket Length: 224
Session Ticket [truncated]: 5f2c5c7290f6b002e39631b54f85b14de2620e615663e5e3a2a5c5194a3e5c47d5da9fc257200fe4318de304b2471b4a1f35607e53e0a3eb04e00421e2539bcdbf486e60ec9900448831dc70c1dcb081c0890d04c337dbe4aef4806dd5004019a0a7edfabbf17de7590
Extensions Length: 0
TLSv1.3 Record Layer: Handshake Protocol: New Session Ticket
Opaque Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 266
[Content Type: Handshake (22)]
Handshake Protocol: New Session Ticket
Handshake Type: New Session Ticket (4)
Length: 245
TLS Session Ticket
Session Ticket Lifetime Hint: 7200 seconds (2 hours)
Session Ticket Age Add: 310059667
Session Ticket Nonce Length: 8
Session Ticket Nonce: 0000000000000001
Session Ticket Length: 224
Session Ticket [truncated]: 5f2c5c7290f6b002e39631b54f85b14dc423d6b1f00ccd25e30d7cf9290c0dc32d8ed4b9c72a8e3555d9ccdba4b3b6299e5306c5bf9ca48f72325e23927d1e9ae572d8937faedeb7b5846b4f8817bef5e537a5ff8e516c20f520ebb535ab37fa64996854d10dcee1291
Extensions Length: 0
```
</details>
### What is the expected *correct* behavior?
I would expect just one ticket.Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4536The new "cipher-suites" system test fails in FIPS mode2024-03-08T05:23:01ZMichał KępieńThe new "cipher-suites" system test fails in FIPS mode!8576 was merged 3 days ago and here is a list of its failures in GitLab
CI since:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3938188
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3938189
- https://gitlab.isc.org/isc-...!8576 was merged 3 days ago and here is a list of its failures in GitLab
CI since:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3938188
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3938189
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939001
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939002
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939846
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939847
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939988
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3939989
These look like permanent failures; it is probably a rare case of a
FIPS-only failure that was not caught before merging since we only run
FIPS-mode jobs in scheduled pipelines rather than for every merge
request.
Looks like there is a pattern to these failures - there seem to be
different issues on different platforms:
- on Oracle Linux 9 in FIPS mode, there is often a **crash**:
```
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/lt-named -D cipher-suites_tmp__8wequ'.
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:Program terminated with signal SIGABRT, Aborted.
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#0 0x00007fde4caa158c in __pthread_kill_implementation () from /lib64/libc.so.6
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:[Current thread is 1 (Thread 0x7fde49fba600 (LWP 103424))]
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#0 0x00007fde4caa158c in __pthread_kill_implementation () from /lib64/libc.so.6
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#1 0x00007fde4ca54d06 in raise () from /lib64/libc.so.6
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#2 0x00007fde4ca287f3 in abort () from /lib64/libc.so.6
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#3 0x0000000000422b05 in assertion_failed (file=0x7fde4d8c26a1 "netmgr/tcp.c", line=918, type=isc_assertiontype_insist, cond=0x7fde4d8c2720 "csock->recv_cb != ((void *)0)") at main.c:234
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#4 0x00007fde4d88aace in isc_assertion_failed (file=file@entry=0x7fde4d8c26a1 "netmgr/tcp.c", line=line@entry=918, type=type@entry=isc_assertiontype_insist, cond=cond@entry=0x7fde4d8c2720 "csock->recv_cb != ((void *)0)") at assertions.c:48
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#5 0x00007fde4d8829e3 in accept_connection (csock=<optimized out>, csock@entry=0x7fde48c0b000) at netmgr/tcp.c:918
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#6 0x00007fde4d882c1d in tcp_connection_cb (server=<optimized out>, status=<optimized out>) at netmgr/tcp.c:558
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#7 0x00007fde4d481e77 in uv.server_io () from /lib64/libuv.so.1
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#8 0x00007fde4d49285e in uv.io_poll.part () from /lib64/libuv.so.1
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#9 0x00007fde4d47c5a8 in uv_run () from /lib64/libuv.so.1
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#10 0x00007fde4d89d896 in loop_thread (arg=arg@entry=0x7fde4bea6180) at loop.c:282
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#11 0x00007fde4d8af4b5 in thread_body (wrap=wrap@entry=0x1dc7350) at thread.c:85
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#12 0x00007fde4d8af4de in thread_run (wrap=0x1dc7350) at thread.c:100
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#13 0x00007fde4ca9f812 in start_thread () from /lib64/libc.so.6
2024-01-14 08:18:07 INFO:cipher-suites D:/builds/isc-projects/bind9/bin/tests/system/cipher-suites_tmp__8wequh4:#14 0x00007fde4ca3f450 in clone3 () from /lib64/libc.so.6
```
- on Oracle Linux 8 in FIPS mode, there is often a **test failure**:
```
2024-01-13 00:16:03 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example" at "ns2" (1)
2024-01-13 00:16:04 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example" at "ns3" (2)
2024-01-13 00:16:04 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example" at "ns4" (3)
2024-01-13 00:16:04 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-128" at "ns2" (4)
2024-01-13 00:16:04 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-256" at "ns3" (5)
2024-01-13 00:16:04 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-chacha-20" at "ns4" (6)
2024-01-13 00:16:13 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:failed
2024-01-13 00:16:13 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-256" at "ns2", failure expected (7)
2024-01-13 00:16:22 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-chacha-20" at "ns2", failure expected (8)
2024-01-13 00:16:32 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-128" at "ns3", failure expected (9)
2024-01-13 00:16:41 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-chacha-20" at "ns3", failure expected (10)
2024-01-13 00:16:51 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-128" at "ns4", failure expected (11)
2024-01-13 00:17:00 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-256" at "ns4", failure expected (12)
2024-01-13 00:17:09 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example" at "ns5", failure expected (13)
2024-01-13 00:17:19 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-128" at "ns5", failure expected (14)
2024-01-13 00:17:28 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-aes-256" at "ns5", failure expected (15)
2024-01-13 00:17:38 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:testing zone transfer over TLS (XoT): - zone "example-chacha-20" at "ns5", failure expected (16)
2024-01-13 00:17:47 INFO:cipher-suites I:cipher-suites_tmp_5cchgkwp:exit status: 1
```
I would normally follow up on the original issue in cases like this, but
it seems that at least the crash may be a pre-existing issue, so I
thought that separating it out might be prudent.March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4535"digdelv" system test often fails the "try the next server after a TCP socket...2024-02-24T07:57:52ZMichał Kępień"digdelv" system test often fails the "try the next server after a TCP socket connection error/timeout" checkFor at least the past two weeks or so, the following check in the
`digdelv` system test has been failing particularly often, for no
apparent reason that I could think of:
```
2024-01-14 04:17:49 INFO:digdelv I:digdelv_tmp_aq8itlsn:c...For at least the past two weeks or so, the following check in the
`digdelv` system test has been failing particularly often, for no
apparent reason that I could think of:
```
2024-01-14 04:17:49 INFO:digdelv I:digdelv_tmp_aq8itlsn:check that dig tries the next server after a TCP socket connection error/timeout (89)
2024-01-14 04:18:09 INFO:digdelv I:digdelv_tmp_aq8itlsn:failed
```
It is an intermittent failure. It seems to be at least strongly
"preferring" FreeBSD jobs (and may even be exclusive to these, but I
have not checked all of its occurrences):
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3926964
- https://gitlab.isc.org/isc-private/bind9/-/jobs/3938693
- https://gitlab.isc.org/isc-private/bind9/-/jobs/3938692
- https://gitlab.isc.org/isc-private/bind9/-/jobs/3939505
- https://gitlab.isc.org/isc-private/bind9/-/jobs/3939504
- https://gitlab.isc.org/isc-private/bind9/-/jobs/3939503
The check itself dates back to March 2022 (!5976), so it is surprising
to only see an uptick in its failures now. Perhaps some other fix
merged in the meantime changed `dig` behavior in a way that trips this
logic up?May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/issues/4534Option to make inclusion of CDS records optional2024-01-15T07:47:42ZDan MahoneyOption to make inclusion of CDS records optional### Description
Back when ISC decommissioned DLV, we committed to providing a signed, empty zone with no other deltas (short of NS records) "for the forseeable future". Now, with BIND 9.18 doing the inline-signing that was previously d...### Description
Back when ISC decommissioned DLV, we committed to providing a signed, empty zone with no other deltas (short of NS records) "for the forseeable future". Now, with BIND 9.18 doing the inline-signing that was previously done by 9.11 and 9.16, the zone is changed: there is now a CDS option in place that was not there previously.
In a case where an organization (us, or someone else) is transitioning to new signing software, the ability to maintain the exact same signed setup without introducing new RRtypes should still be an option.
Note well that we still get occasional queries to dlv.isc.org -- and while the time may come to de-delegate it, we haven't made that decision yet.
No matter how much we announce that it's dead and that people should stop using it, they do, which indicates that they're using either very old or very misconfigured software that's still limping along. It's possible, albeit unlikely, that the presence of new records that were not defined when DLV was a thing could violate the principle of least astonishment. (I don't think a CDS record will crash anything, to be clear.)
### Request
An option in dnssec-policy for inline-signing to not insert CDS records. I didn't find anything in the ARM for this.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4533SoftHSM 2 + OpenSSL 3 crashes2024-01-15T09:46:55ZHarry G. CoinSoftHSM 2 + OpenSSL 3 crashes### Summary
Repeated crashes every few seconds to few minutes during opendnssec activity.
```
Jan 14 17:15:28 registry2.1.quietfountain.com named[182105]: zone 2.quietfountain.com/IN (signed): sending notifies (serial 1705274034)
Jan 14...### Summary
Repeated crashes every few seconds to few minutes during opendnssec activity.
```
Jan 14 17:15:28 registry2.1.quietfountain.com named[182105]: zone 2.quietfountain.com/IN (signed): sending notifies (serial 1705274034)
Jan 14 17:15:28 registry2.1.quietfountain.com named[182105]: client @0x7f3a64fc72f8 10.12.112.3#51784: received notify for zone 'b.0.e.0.0.0.0.0.0.0.0.1.0.0.c.f.ip6.arpa'
Jan 14 17:15:28 registry2.1.quietfountain.com systemd[1]: Started Process Core Dump (PID 185215/UID 0).
Jan 14 17:15:30 registry2.1.quietfountain.com systemd-coredump[185216]: [🡕] Process 182105 (named) of user 25 dumped core.
Stack trace of thread 182107:
#0 0x00007f3a7eca154c __pthread_kill_implementation (libc.so.6 + 0xa154c)
#1 0x00007f3a7ec54d06 raise (libc.so.6 + 0x54d06)
#2 0x00007f3a7ec287f3 abort (libc.so.6 + 0x287f3)
#3 0x00007f3a7ec29130 __libc_message.cold (libc.so.6 + 0x29130)
#4 0x00007f3a7ecab617 malloc_printerr (libc.so.6 + 0xab617)
#5 0x00007f3a7ecaf68c __libc_malloc (libc.so.6 + 0xaf68c)
#6 0x00007f3a6b2adb0c _Znwm (libstdc++.so.6 + 0xadb0c)
#7 0x00007f3a6b7b8aca _ZN7OSToken10getObjectsERSt3setIP8OSObjectSt4lessIS2_ESaIS2_EE (libsofthsm2.so + 0xa1aca)
#8 0x00007f3a6b76606b _ZN7SoftHSM17C_FindObjectsInitEmP13_CK_ATTRIBUTEm (libsofthsm2.so + 0x4f06b)
#9 0x00007f3a6b739eb8 C_FindObjectsInit (libsofthsm2.so + 0x22eb8)
#10 0x00007f3a7ea079fc pkcs11_enumerate_keys (pkcs11.so + 0x79fc)
#11 0x00007f3a7ea0ca63 ctx_load_key (pkcs11.so + 0xca63)
#12 0x00007f3a7ea0d45d load_privkey (pkcs11.so + 0xd45d)
#13 0x00007f3a7f165735 ENGINE_load_private_key (libcrypto.so.3 + 0x165735)
#14 0x00007f3a7f7abdf8 opensslrsa_parse (libdns-9.16.23-RH.so + 0x1abdf8)
#15 0x00007f3a7f79cbc1 dst_key_fromnamedfile (libdns-9.16.23-RH.so + 0x19cbc1)
#16 0x00007f3a7f79d4d7 dst_key_fromfile (libdns-9.16.23-RH.so + 0x19d4d7)
#17 0x00007f3a7f6698f2 dns_dnssec_findzonekeys (libdns-9.16.23-RH.so + 0x698f2)
#18 0x00007f3a7f76399f dns__zone_findkeys (libdns-9.16.23-RH.so + 0x16399f)
#19 0x00007f3a7f76a6d9 zone_sign.lto_priv.0 (libdns-9.16.23-RH.so + 0x16a6d9)
#20 0x00007f3a7f778279 zone_timer.lto_priv.0 (libdns-9.16.23-RH.so + 0x178279)
#21 0x00007f3a7f9131bd isc_task_run (libisc-9.16.23-RH.so + 0x571bd)
#22 0x00007f3a7f8fe2a9 process_netievent (libisc-9.16.23-RH.so + 0x422a9)
#23 0x00007f3a7f8fe425 process_queue (libisc-9.16.23-RH.so + 0x42425)
#24 0x00007f3a7f8fec17 async_cb (libisc-9.16.23-RH.so + 0x42c17)
#25 0x00007f3a7f44eb3d uv__async_io.part.0 (libuv.so.1 + 0xab3d)
#26 0x00007f3a7f46a85e uv__io_poll.part.0 (libuv.so.1 + 0x2685e)
#27 0x00007f3a7f4545a8 uv_run (libuv.so.1 + 0x105a8)
#28 0x00007f3a7f8fe4db nm_thread (libisc-9.16.23-RH.so + 0x424db)
#29 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#30 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#31 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182106:
#0 0x00007f3a7ec9db7a pthread_barrier_wait@@GLIBC_2.34 (libc.so.6 + 0x9db7a)
#1 0x00007f3a7f45e1fd uv_barrier_wait (libuv.so.1 + 0x1a1fd)
#2 0x00007f3a7f8f48c7 isc_nm_pause (libisc-9.16.23-RH.so + 0x388c7)
#3 0x00007f3a7f913993 isc_task_beginexclusive (libisc-9.16.23-RH.so + 0x57993)
#4 0x00007f3a78be7826 run_exclusive_enter (ldap.so + 0x14826)
#5 0x00007f3a78bec951 ldap_parse_master_zoneentry (ldap.so + 0x19951)
#6 0x00007f3a78beee3a update_zone (ldap.so + 0x1be3a)
#7 0x00007f3a7f9131bd isc_task_run (libisc-9.16.23-RH.so + 0x571bd)
#8 0x00007f3a7f8fe2a9 process_netievent (libisc-9.16.23-RH.so + 0x422a9)
#9 0x00007f3a7f8fe425 process_queue (libisc-9.16.23-RH.so + 0x42425)
#10 0x00007f3a7f8fec17 async_cb (libisc-9.16.23-RH.so + 0x42c17)
#11 0x00007f3a7f44eb3d uv__async_io.part.0 (libuv.so.1 + 0xab3d)
#12 0x00007f3a7f46a85e uv__io_poll.part.0 (libuv.so.1 + 0x2685e)
#13 0x00007f3a7f4545a8 uv_run (libuv.so.1 + 0x105a8)
#14 0x00007f3a7f8fe4db nm_thread (libisc-9.16.23-RH.so + 0x424db)
#15 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#16 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#17 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182115:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eea4 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x9eea4)
#2 0x00007f3a7f922a90 isc_condition_waituntil (libisc-9.16.23-RH.so + 0x66a90)
#3 0x00007f3a78befbcb syncrepl_update (ldap.so + 0x1cbcb)
#4 0x00007f3a78bf0344 ldap_sync_search_entry (ldap.so + 0x1d344)
#5 0x00007f3a78ba7bfa ldap_sync_search_entry (libldap.so.2 + 0x45bfa)
#6 0x00007f3a78ba856b ldap_sync_poll (libldap.so.2 + 0x4656b)
#7 0x00007f3a78bf1591 ldap_sync_doit (ldap.so + 0x1e591)
#8 0x00007f3a78bf1a33 ldap_syncrepl_watcher.lto_priv.0 (ldap.so + 0x1ea33)
#9 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#10 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#11 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182111:
#0 0x00007f3a7ed4e84e epoll_wait (libc.so.6 + 0x14e84e)
#1 0x00007f3a7f91c48c netthread (libisc-9.16.23-RH.so + 0x6048c)
#2 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#3 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#4 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182112:
#0 0x00007f3a7ed4e84e epoll_wait (libc.so.6 + 0x14e84e)
#1 0x00007f3a7f91c48c netthread (libisc-9.16.23-RH.so + 0x6048c)
#2 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#3 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#4 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182113:
#0 0x00007f3a7ed4e84e epoll_wait (libc.so.6 + 0x14e84e)
#1 0x00007f3a7f91c48c netthread (libisc-9.16.23-RH.so + 0x6048c)
#2 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#3 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#4 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182114:
#0 0x00007f3a7ed4e84e epoll_wait (libc.so.6 + 0x14e84e)
#1 0x00007f3a7f91c48c netthread (libisc-9.16.23-RH.so + 0x6048c)
#2 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#3 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#4 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182629:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eba0 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x9eba0)
#2 0x00007f3a7f4640ed uv_cond_wait (libuv.so.1 + 0x200ed)
#3 0x00007f3a7f457966 worker (libuv.so.1 + 0x13966)
#4 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#5 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182105:
#0 0x00007f3a7ec55aca __sigtimedwait (libc.so.6 + 0x55aca)
#1 0x00007f3a7ec5510c sigwait (libc.so.6 + 0x5510c)
#2 0x00007f3a7f8e1a33 isc_app_ctxrun (libisc-9.16.23-RH.so + 0x25a33)
#3 0x00007f3a7f8e1cfc isc_app_run (libisc-9.16.23-RH.so + 0x25cfc)
#4 0x000055747eb2645a main (named + 0x1d45a)
#5 0x00007f3a7ec3feb0 __libc_start_call_main (libc.so.6 + 0x3feb0)
#6 0x00007f3a7ec3ff60 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3ff60)
#7 0x000055747eb26f85 _start (named + 0x1df85)
Stack trace of thread 182109:
#0 0x00007f3a7ec3ee5d syscall (libc.so.6 + 0x3ee5d)
#1 0x00007f3a7f4669cb uv__udp_sendmmsg.lto_priv.0 (libuv.so.1 + 0x229cb)
#2 0x00007f3a7f457288 uv_udp_send (libuv.so.1 + 0x13288)
#3 0x00007f3a7f8f8d56 isc__nm_async_udpsend (libisc-9.16.23-RH.so + 0x3cd56)
#4 0x00007f3a7f8f9124 isc__nm_udp_send (libisc-9.16.23-RH.so + 0x3d124)
#5 0x00007f3a7f9b6143 client_sendpkg (libns-9.16.23-RH.so + 0xf143)
#6 0x00007f3a7f9bd3ec ns_client_send (libns-9.16.23-RH.so + 0x163ec)
#7 0x00007f3a7f9bd5ab ns_notify_start (libns-9.16.23-RH.so + 0x165ab)
#8 0x00007f3a7f9c1213 ns__client_request (libns-9.16.23-RH.so + 0x1a213)
#9 0x00007f3a7f8f8731 isc__nm_async_readcb (libisc-9.16.23-RH.so + 0x3c731)
#10 0x00007f3a7f8f8879 isc__nm_readcb (libisc-9.16.23-RH.so + 0x3c879)
#11 0x00007f3a7f8fcff5 udp_recv_cb (libisc-9.16.23-RH.so + 0x40ff5)
#12 0x00007f3a7f4695ab uv__udp_io.lto_priv.0 (libuv.so.1 + 0x255ab)
#13 0x00007f3a7f46a85e uv__io_poll.part.0 (libuv.so.1 + 0x2685e)
#14 0x00007f3a7f4545a8 uv_run (libuv.so.1 + 0x105a8)
#15 0x00007f3a7f8fe4db nm_thread (libisc-9.16.23-RH.so + 0x424db)
#16 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#17 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#18 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182110:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eea4 pthread_cond_timedwait@@GLIBC_2.3.2 (libc.so.6 + 0x9eea4)
#2 0x00007f3a7f922a90 isc_condition_waituntil (libisc-9.16.23-RH.so + 0x66a90)
#3 0x00007f3a7f914cff run (libisc-9.16.23-RH.so + 0x58cff)
#4 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#5 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#6 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182630:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eba0 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x9eba0)
#2 0x00007f3a7f4640ed uv_cond_wait (libuv.so.1 + 0x200ed)
#3 0x00007f3a7f457966 worker (libuv.so.1 + 0x13966)
#4 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#5 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182628:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eba0 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x9eba0)
#2 0x00007f3a7f4640ed uv_cond_wait (libuv.so.1 + 0x200ed)
#3 0x00007f3a7f457966 worker (libuv.so.1 + 0x13966)
#4 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#5 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182631:
#0 0x00007f3a7ec9c39a __futex_abstimed_wait_common (libc.so.6 + 0x9c39a)
#1 0x00007f3a7ec9eba0 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x9eba0)
#2 0x00007f3a7f4640ed uv_cond_wait (libuv.so.1 + 0x200ed)
#3 0x00007f3a7f457966 worker (libuv.so.1 + 0x13966)
#4 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#5 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
Stack trace of thread 182108:
#0 0x00007f3a7ec9c319 __futex_abstimed_wait_common (libc.so.6 + 0x9c319)
#1 0x00007f3a7eca5d8f pthread_rwlock_wrlock@@GLIBC_2.34 (libc.so.6 + 0xa5d8f)
#2 0x00007f3a7f1bd95d CRYPTO_THREAD_write_lock (libcrypto.so.3 + 0x1bd95d)
#3 0x00007f3a7ea066ce ctx_login (pkcs11.so + 0x66ce)
#4 0x00007f3a7ea0cb95 ctx_load_key (pkcs11.so + 0xcb95)
#5 0x00007f3a7ea0d45d load_privkey (pkcs11.so + 0xd45d)
#6 0x00007f3a7f165735 ENGINE_load_private_key (libcrypto.so.3 + 0x165735)
#7 0x00007f3a7f7abdf8 opensslrsa_parse (libdns-9.16.23-RH.so + 0x1abdf8)
#8 0x00007f3a7f79cbc1 dst_key_fromnamedfile (libdns-9.16.23-RH.so + 0x19cbc1)
#9 0x00007f3a7f79d4d7 dst_key_fromfile (libdns-9.16.23-RH.so + 0x19d4d7)
#10 0x00007f3a7f6698f2 dns_dnssec_findzonekeys (libdns-9.16.23-RH.so + 0x698f2)
#11 0x00007f3a7f76399f dns__zone_findkeys (libdns-9.16.23-RH.so + 0x16399f)
#12 0x00007f3a7f76a6d9 zone_sign.lto_priv.0 (libdns-9.16.23-RH.so + 0x16a6d9)
#13 0x00007f3a7f778279 zone_timer.lto_priv.0 (libdns-9.16.23-RH.so + 0x178279)
#14 0x00007f3a7f9131bd isc_task_run (libisc-9.16.23-RH.so + 0x571bd)
#15 0x00007f3a7f8fe2a9 process_netievent (libisc-9.16.23-RH.so + 0x422a9)
#16 0x00007f3a7f8fe425 process_queue (libisc-9.16.23-RH.so + 0x42425)
#17 0x00007f3a7f8fec17 async_cb (libisc-9.16.23-RH.so + 0x42c17)
#18 0x00007f3a7f44eb3d uv__async_io.part.0 (libuv.so.1 + 0xab3d)
#19 0x00007f3a7f46a85e uv__io_poll.part.0 (libuv.so.1 + 0x2685e)
#20 0x00007f3a7f4545a8 uv_run (libuv.so.1 + 0x105a8)
#21 0x00007f3a7f8fe4db nm_thread (libisc-9.16.23-RH.so + 0x424db)
#22 0x00007f3a7f910f9a isc__trampoline_run (libisc-9.16.23-RH.so + 0x54f9a)
#23 0x00007f3a7ec9f802 start_thread (libc.so.6 + 0x9f802)
#24 0x00007f3a7ec3f450 __clone3 (libc.so.6 + 0x3f450)
ELF object binary architecture: AMD x86-64
Jan 14 17:15:30 registry2.1.quietfountain.com systemd[1]: systemd-coredump@7-185215-0.service: Deactivated successfully.
Jan 14 17:15:30 registry2.1.quietfountain.com systemd[1]: systemd-coredump@7-185215-0.service: Consumed 1.133s CPU time.
Jan 14 17:15:30 registry2.1.quietfountain.com systemd[1]: named.service: Main process exited, code=dumped, status=6/ABRT
Jan 14 17:15:30 registry2.1.quietfountain.com systemd[1]: named.service: Failed with result 'core-dump'.
Jan 14 17:15:30 registry2.1.quietfountain.com systemd[1]: named.service: Consumed 1min 56.753s CPU time.
```
### BIND version affected
```
[root@registry2 coredump]# named -V
BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
running on Linux x86_64 5.14.0-362.13.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 21 07:12:43 EST 2023
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--with-dlopen=yes' '--with-gssapi=yes' '--with-lmdb=yes' '--without-libjson' '--with-json-c' '--enable-dnstap' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.4.1 20230605 (Red Hat 11.4.1-2)
compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
-->
### Steps to reproduce
Just run opendnssec with several secured zones. It will die within seconds to minutes.
### Relevant configuration files
```
[root@registry2 coredump]# named-checkconf -px
acl "trusted" {
"localnets";
"localhost";
192.168.172.0/26;
fc00:1000:0:b00::/64;
192.168.184.0/26;
fc00:1000:0:e00::/64;
192.168.188.0/26;
fc00:1000:0:f00::/64;
192.168.176.0/26;
fc00:1000:0:c00::/64;
192.168.160.0/26;
fc00:1000:0:800::/64;
192.168.169.128/29;
fc00:1003:a:7::/64;
192.168.169.136/29;
fc00:1003:a:107::/64;
192.168.169.144/29;
fc00:1003:a:207::/64;
192.168.169.152/29;
fc00:1003:a:307::/64;
192.168.169.160/29;
fc00:1003:a:407::/64;
192.168.169.168/29;
fc00:1003:a:507::/64;
192.168.169.176/29;
fc00:1003:a:607::/64;
192.168.169.184/29;
fc00:1003:a:707::/64;
192.168.169.192/29;
fc00:1003:a:8::/64;
192.168.169.200/29;
fc00:1003:a:108::/64;
192.168.169.208/29;
fc00:1003:a:208::/64;
192.168.169.216/29;
fc00:1003:a:308::/64;
192.168.169.224/29;
fc00:1003:a:408::/64;
192.168.169.232/29;
fc00:1003:a:508::/64;
192.168.169.240/29;
fc00:1003:a:608::/64;
192.168.169.248/29;
fc00:1003:a:708::/64;
10.12.112.0/20;
fc00:1002:c7::/64;
172.16.199.0/28;
fc00:1001:c7::/64;
192.168.168.128/26;
fc00:1003:a:3::/64;
192.168.164.0/23;
fc00:1003:9:1::/64;
192.168.169.0/26;
fc00:1003:a:5::/64;
192.168.168.0/26;
fc00:1003:a:1::/64;
192.168.168.192/26;
fc00:1003:a:4::/64;
192.168.166.0/23;
fc00:1003:9:9::/64;
192.168.169.64/26;
fc00:1003:a:6::/64;
192.168.168.64/26;
fc00:1003:a:2::/64;
192.168.180.0/26;
fc00:1000:0:d00::/64;
192.168.170.0/29;
fc00:1003:a:9::/64;
};
logging {
channel "default_debug" {
file "data/named.run";
severity dynamic;
print-time yes;
};
channel "named" {
file "data/named.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "security" {
file "data/security.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "dnssec" {
file "data/dnssec.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "resolver" {
file "data/resolver.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "query_log" {
file "data/query.log" versions 10 size 83886080;
severity info;
print-time yes;
print-severity yes;
};
channel "query_error" {
file "data/query_errors.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "lame_servers" {
file "data/lame-servers.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "capacity" {
file "data/capacity.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "database" {
file "data/database.log" versions 10 size 20971520;
severity info;
print-time yes;
print-severity yes;
};
channel "update" {
file "data/update.log" versions 10 size 10485760;
severity info;
print-time yes;
print-severity yes;
};
category "default" {
"default_syslog";
"named";
};
category "general" {
"default_syslog";
"named";
};
category "security" {
"security";
};
category "queries" {
"query_log";
};
category "query-errors" {
"query_error";
};
category "lame-servers" {
"lame_servers";
};
category "dnssec" {
"dnssec";
};
category "edns-disabled" {
"default_syslog";
"resolver";
};
category "config" {
"default_syslog";
"named";
};
category "resolver" {
"resolver";
};
category "cname" {
"resolver";
};
category "spill" {
"capacity";
};
category "rate-limit" {
"capacity";
};
category "database" {
"database";
};
category "client" {
"default_syslog";
"named";
};
category "network" {
"default_syslog";
"named";
};
category "unmatched" {
"named";
};
category "delegation-only" {
"named";
};
category "update" {
"default_syslog";
"update";
};
category "update-security" {
"default_syslog";
"update";
};
};
options {
directory "/var/named";
dump-file "data/cache_dump.db";
managed-keys-directory "/var/named/dynamic";
memstatistics-file "data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
statistics-file "data/named_stats.txt";
tkey-gssapi-keytab "/etc/named.keytab";
allow-query-cache {
"trusted";
};
allow-recursion {
"trusted";
};
disable-algorithms "." {
"RSAMD5";
"RSASHA1";
"NSEC3RSASHA1";
"DSA";
"NSEC3DSA";
"ECCGOST";
};
disable-ds-digests "." {
"SHA-1";
"GOST";
};
rate-limit {
errors-per-second 1;
exempt-clients {
"trusted";
};
nodata-per-second 2;
qps-scale 200;
responses-per-second 5;
window 1800;
};
allow-notify {
10.12.112.2/32;
};
allow-query {
"any";
};
also-notify {
10.12.112.2;
10.12.127.253;
10.12.127.252;
};
notify explicit;
};
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-1-QUIETFOUNTAIN-COM.socket";
base "cn=dns,dc=1,dc=quietfountain,dc=com";
server_id "registry2.1.quietfountain.com";
auth_method "sasl";
sasl_mech "EXTERNAL";
krb5_keytab "FILE:/etc/named.keytab";
};
trust-anchors {
"." initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};
```
Coredump files availablehttps://gitlab.isc.org/isc-projects/bind9/-/issues/4532An option to not have bind9/dnssec-settime (possibly other tools) reset permi...2024-01-16T20:30:36ZDan MahoneyAn option to not have bind9/dnssec-settime (possibly other tools) reset permissions on a .private file.### Description
The `named` process and `dnssec-settime` (perhaps other tools) will take it upon themselves to change the permissions of a private key on certain changes.
However, we track our key-directory (and other configs) using gi...### Description
The `named` process and `dnssec-settime` (perhaps other tools) will take it upon themselves to change the permissions of a private key on certain changes.
However, we track our key-directory (and other configs) using git, with a group-shared repository.
Typical permissions on .private files are bind:bind with mode 660, but because a normal user (in the bind group) diffs/commits/pushes the repository, these keys can also be user:bind mode 660.
(Noting as well that our tooling is not more comfortable running git tasks as root, complaining of other permissions issues. Also, the less we can do as root, the better.)
With bind's usual permissions model, one cannot do a git diff/git log if the file is owned by bind. If the file is owned by user:bind, bind loses access to it on the permissions change.
Changing the umask under which the process runs doesn't seem to fix this, we tried.
Running a periodic cron job to fix this is a possible workaround, but feels like it shouldn't be necessary.
### Request
For command line tools, an option to not do this.
For `named, an `options` statement that lets us turn this off.
Both retaining the current behavior by default.
### Links / referencesNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4531Improvements to the parental-agents definition in the arm2024-03-08T05:42:15ZDan MahoneyImprovements to the parental-agents definition in the armHi and thanks for filing an issue! It will be read with care by human beings.
It would be a tremendous help if you could follow these steps first:
- [X] Search the existing issues in GitLab (both open and closed) to see if your report m...Hi and thanks for filing an issue! It will be read with care by human beings.
It would be a tremendous help if you could follow these steps first:
- [X] Search the existing issues in GitLab (both open and closed) to see if your report might be a duplicate. We have a large database here and many issues have already been fixed in the latest versions!
- [X] Make sure this is **not** a support question. If you have specific trouble configuring or debugging your setup, please use the bind-users mailing list: https://lists.isc.org/mailman/listinfo/bind-users
- [X] You have read and understood the "out in the open" support policy: https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ . Even though it was written by the PowerDNS folks, we follow it as well!
Before continuing, **please select the appropriate issue template in the drop-down menu above, under the heading _Description_**.
(There is no "doc" template. Maybe there should be.)
The current doc for parental-agents laid out in the 9.18 arm is, some formatting tweaks for gitlab aside:
> Grammar zone (primary, secondary): `parental-agents [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };`
>
> Grammar topmost: `parental-agents <string> [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times`
>
> Blocks: topmost, zone (primary, secondary)
>
> Tags: zone
>
> Defines a list of delegation agents to be used by primary and secondary zones.
>
> 8.2.10. `parental-agents` Block Definition and Usage
>
> `parental-agents` lists allow for a common set of parental agents to be easily used by multiple primary and secondary zones. A parental agent is the entity that is allowed to change a zone’s delegation information (defined in RFC 7344).
What is not apparent from the above:
* If you define a "topmost" parental agent, you must still define it in a zone for it to be used. There is no way to configure a default parental agent, nor to have it apply to zones without stating it for each. The example cited in the 9.18 migration article in the KB only mentions the pure-zone-based version, and doesn't give a good example of how to do it with a globally-defined one.
* The "usage" statement for the zone does not make it apparent how to specify an agent defined topmost -- this implies either two "zone" usage statements (Grammar zone with no defined topmost agent, grammar zone with the agent defined only in the zone statement), or a more complex definition of the "Grammar Zone" statement where it's either "parental-agents { "string"; } followed by the rest of the possible options. (I guess it's possible to use a topmost-defined parental agent but ALSO add others? -- I'm not sure how to properly bracket those options, depending on if that's the case.)
* **"A parental agent is the entity that is allowed to change a zone's delegation information"** is untrue in this case. While that is one possible usage (for example, specifying "a0.org.afilias-nst.info." for an agent for example.org), The a0.org.afilias-nst.info. is not allowed to change the delegation information -- some hidden SRS server and a stealth master are, as part of the DNSSEC process. A parental-agent may also be set to 8.8.8.8 or any other TSIG-relationship-defined validating resolver, none of which are allowed to change anything about the delegation.
* Also, the "allowed to change" wording implies that there is some nsupdate-like relationship required between our zone and it, that's to be configured, especially because things like TSIG keys are offered as options.
* It isn't immediately clear that the only thing BIND does is send DS queries.
A better phrasing here might be:
"A parental agent is a trusted DNS server that can confirm that a zone's delegation information has been updated in the parent zone of the one being configured, as defined in (rfc foo section bar). [An optional statement about what is implied by "trusted" (TSIG/DNSSEC/ACLs on the parental-agent server) could go here.]"March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4530Definable zone-policies in named.conf to allow inhertiable zone configuration...2024-01-15T07:00:03ZDan MahoneyDefinable zone-policies in named.conf to allow inhertiable zone configuration statements beyond the global options block.### Description
A generic, inheritable, zone-policy statement that allows for a many of zone data to be simply included. (Inspired somewhat by apache24's mod_template).
### Request
In rolling out the new dnssec arguments in bind9.18,...### Description
A generic, inheritable, zone-policy statement that allows for a many of zone data to be simply included. (Inspired somewhat by apache24's mod_template).
### Request
In rolling out the new dnssec arguments in bind9.18, a number of items have come up where a number of statements are duplicated in each zone, that cannot be specified easily at the `options` level.
Some examples:
* dnssec-policy assignment (not definition): while you can redefine the default, if you want a non-default policy, you must specify it manually in every zone.
* parental-agents: a globally named parental agent may be configured, but there is no keyword to make it the default one for all zones, unless overridden.
* inline-signing: this cannot be set at the global level, as far as I can tell.
* usage of the same data for multiple "parked" (non-dnssec) zones, so this could even include a "file" and "type" statement.
Several other more "classic" options also exist for zones, like `allow-query`, and `allow-transfer`, that you *can* set globally, and that you may want to apply for many zones, but you may not want to inherit what's present in the global `options` block (or you may in fact want the global `options` block to list a conservative and restrictive default.)
This is in no way an exhaustive list of available statements that could be included.
While on its face this feels like an option that would complicate configuration, it stands to make configuration way shorter and easier to read as long as the options are well spelled out. It makes configuration audits easier as well, because rather than scanning each zone statement for typos and evaluations, you know for-sure that a policy has been applied.
I recognize that 9.20 or beyond may be where this happens, if at all.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4529Abort in nsupdate2024-03-08T05:49:14ZMark AndrewsAbort in nsupdateThis was with main as far as nsupdate was concerned. It appears that it managed to call dns_requestmgr_shutdown twice.
```
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------...This was with main as far as nsupdate was concerned. It appears that it managed to call dns_requestmgr_shutdown twice.
```
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: nsupdate [60914]
Path: /Users/USER/*/nsupdate
Identifier: nsupdate
Version: ???
Code Type: ARM-64 (Native)
Parent Process: Exited process [88632]
Responsible: Terminal [1931]
User ID: 505
Date/Time: 2024-01-12 16:55:38.9877 +1100
OS Version: macOS 13.6.3 (22G436)
Report Version: 12
Anonymous UUID: E43701DF-63DC-8EF6-83FC-FFBFB7819AE8
Sleep/Wake UUID: 2E0B9225-F88F-4D2B-82C0-1ADB50A22170
Time Awake Since Boot: 1300000 seconds
Time Since Wake: 12303 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6
Terminating Process: nsupdate [60914]
Application Specific Information:
abort() called
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x19ff40744 __pthread_kill + 8
1 libsystem_pthread.dylib 0x19ff77c28 pthread_kill + 288
2 libsystem_c.dylib 0x19fe85ae8 abort + 180
3 libisc-9.19.21-dev.dylib 0x104352eb4 isc_assertion_failed + 60 (assertions.c:49)
4 libdns-9.19.21-dev.dylib 0x1048f45cc dns_requestmgr_shutdown + 268 (request.c:198)
5 nsupdate 0x1041e94b4 maybeshutdown + 60 (nsupdate.c:741)
6 nsupdate 0x1041eeedc update_completed + 112 (nsupdate.c:2452)
7 libdns-9.19.21-dev.dylib 0x1048f7d64 req_sendevent_cb + 40 (request.c:949)
8 libisc-9.19.21-dev.dylib 0x104353444 isc__async_cb + 448 (async.c:111)
9 libuv.1.dylib 0x10452a3c4 uv__async_io + 320
10 libuv.1.dylib 0x10453a1e0 uv__io_poll + 1748
11 libuv.1.dylib 0x10452a7bc uv_run + 244
12 libisc-9.19.21-dev.dylib 0x1043758f0 loop_thread + 372 (loop.c:282)
13 libisc-9.19.21-dev.dylib 0x104394914 thread_body + 88 (thread.c:85)
14 libisc-9.19.21-dev.dylib 0x10439488c isc_thread_main + 104 (thread.c:116)
15 libisc-9.19.21-dev.dylib 0x10437564c isc_loopmgr_run + 472 (loop.c:454)
16 nsupdate 0x1041e5ea4 main + 420 (nsupdate.c:3483)
17 dyld 0x19fc1ff28 start + 2236
Thread 1:
0 libsystem_kernel.dylib 0x19ff40854 poll + 8
1 liburcu-cds.8.dylib 0x1045b58c8 compat_futex_async + 76 (compat_futex.c:139)
2 liburcu-cds.8.dylib 0x1045b2824 futex_async + 28 (futex.h:193) [inlined]
3 liburcu-cds.8.dylib 0x1045b2824 futex_wait + 88 (workqueue.c:135)
4 liburcu-cds.8.dylib 0x1045b255c workqueue_thread + 796 (workqueue.c:246)
5 libsystem_pthread.dylib 0x19ff77fa8 _pthread_start + 148
6 libsystem_pthread.dylib 0x19ff72da0 thread_start + 8
Thread 2:
0 libsystem_kernel.dylib 0x19ff40854 poll + 8
1 liburcu.8.dylib 0x104459d10 compat_futex_async + 76 (compat_futex.c:139)
2 liburcu.8.dylib 0x104457d24 futex_async + 28 (futex.h:193) [inlined]
3 liburcu.8.dylib 0x104457d24 wait_gp + 44 (urcu.c:267) [inlined]
4 liburcu.8.dylib 0x104457d24 wait_for_readers + 380 (urcu.c:359)
5 liburcu.8.dylib 0x104457a4c urcu_memb_synchronize_rcu + 476 (urcu.c:500)
6 liburcu.8.dylib 0x1044596ec call_rcu_thread + 384 (urcu-call-rcu-impl.h:381)
7 libsystem_pthread.dylib 0x19ff77fa8 _pthread_start + 148
8 libsystem_pthread.dylib 0x19ff72da0 thread_start + 8
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000
x4: 0x000000019fe88a6f x5: 0x000000016bc10370 x6: 0x0000000000000036 x7: 0x0000000000000000
x8: 0xe903a03852a19ded x9: 0xe903a039a9cdbced x10: 0x0000000000000002 x11: 0x00000000fffffffd
x12: 0x0000010000000000 x13: 0x0000000000000000 x14: 0x0000000000000000 x15: 0x0000000000000000
x16: 0x0000000000000148 x17: 0x0000000200223020 x18: 0x0000000000000000 x19: 0x0000000000000006
x20: 0x00000001fb6c2100 x21: 0x0000000000000103 x22: 0x00000001fb6c21e0 x23: 0x00000001057784c8
x24: 0x0000000105778288 x25: 0x0000000000000001 x26: 0x0000000000000001 x27: 0x0000000105778230
x28: 0x0000000000000001 fp: 0x000000016bc10d60 lr: 0x000000019ff77c28
sp: 0x000000016bc10d40 pc: 0x000000019ff40744 cpsr: 0x40001000
far: 0x0000000000000000 esr: 0x56000080 Address size fault
Binary Images:
0x1041e4000 - 0x1041f3fff nsupdate (*) <fc5fc9ca-b970-4719-8d9d-1c52d49b85ca> /Users/USER/*/nsupdate
0x104328000 - 0x1043c3fff libisc-9.19.21-dev.dylib (*) <6553893e-d490-4ced-97f1-6f2ab6fc025b> /Users/USER/*/libisc-9.19.21-dev.dylib
0x104764000 - 0x104a0ffff libdns-9.19.21-dev.dylib (*) <350ca5b7-cb2b-46f8-9592-d7870788e644> /Users/USER/*/libdns-9.19.21-dev.dylib
0x1042a4000 - 0x1042d7fff libisccfg-9.19.21-dev.dylib (*) <500e50a8-58e3-4ee5-bd13-5be5df9ee128> /Users/USER/*/libisccfg-9.19.21-dev.dylib
0x10447c000 - 0x1044cffff libns-9.19.21-dev.dylib (*) <d3c1a218-875c-45d8-92ec-e68a5824c086> /Users/USER/*/libns-9.19.21-dev.dylib
0x10425c000 - 0x10425ffff libmaxminddb.0.dylib (*) <c6878189-90b5-3d08-84f3-de63d925a475> /opt/local/lib/libmaxminddb.0.dylib
0x104284000 - 0x104293fff liblmdb.dylib (*) <d0a90a8e-5def-39e0-95ba-4d616af7843d> /opt/local/lib/liblmdb.dylib
0x104300000 - 0x10430ffff libz.1.3.dylib (*) <4a63b405-84ae-37fa-973c-c99ab2634dd6> /opt/local/lib/libz.1.3.dylib
0x104ac0000 - 0x104c1ffff libjemalloc.2.dylib (*) <e64634dc-6335-326d-bad8-693b384a3426> /Users/USER/*/libjemalloc.2.dylib
0x104408000 - 0x10440ffff libjson-c.2.dylib (*) <55d0e643-f390-30c0-afb8-bb90ad791aae> /opt/local/lib/libjson-c.2.dylib
0x1044f0000 - 0x10450ffff libnghttp2.14.dylib (*) <04ae6ed8-9919-383a-a3bd-49cfda4df482> /opt/local/lib/libnghttp2.14.dylib
0x10463c000 - 0x10471bfff libxml2.2.dylib (*) <275b0d3d-c45c-3a11-9647-f59ff0501dfc> /opt/local/lib/libxml2.2.dylib
0x104524000 - 0x10453ffff libuv.1.dylib (*) <076fd891-2017-328a-a7d4-89d9faf42dde> /opt/local/lib/libuv.1.dylib
0x104ddc000 - 0x104e5ffff libssl.3.dylib (*) <b0393f6d-2afe-313d-bf36-e5f919b9e6cb> /opt/local/libexec/*/libssl.3.dylib
0x10528c000 - 0x10555ffff libcrypto.3.dylib (*) <3189ddc3-b9ec-33cb-af81-0a7f01bd4280> /opt/local/libexec/*/libcrypto.3.dylib
0x104564000 - 0x104597fff libgssapi_krb5.2.2.dylib (*) <0223e7e9-a50c-3d53-96fa-841a0b2125b6> /opt/local/lib/libgssapi_krb5.2.2.dylib
0x104f60000 - 0x104fdffff libkrb5.3.3.dylib (*) <60f5165b-b650-3afe-b99a-49b8c4a8213d> /opt/local/lib/libkrb5.3.3.dylib
0x104438000 - 0x104447fff libk5crypto.3.1.dylib (*) <3b40599e-83d4-36d9-bf5d-978b55a6186a> /opt/local/lib/libk5crypto.3.1.dylib
0x10426c000 - 0x10426ffff libcom_err.1.1.dylib (*) <ddbf7057-c200-3a1c-8279-03a92e74e9a0> /opt/local/lib/libcom_err.1.1.dylib
0x1045e0000 - 0x1045fffff libedit.0.dylib (*) <a368e05a-b24b-3f87-885c-176dd89d538f> /opt/local/lib/libedit.0.dylib
0x104454000 - 0x10445bfff liburcu.8.dylib (*) <bfb91bed-832b-3dfe-9ba0-0a0ed23bf291> /Users/USER/*/liburcu.8.dylib
0x1045b0000 - 0x1045b7fff liburcu-cds.8.dylib (*) <fce9d042-2e9d-3f6a-bd48-2c436aa2c3be> /Users/USER/*/liburcu-cds.8.dylib
0x104318000 - 0x10431bfff liburcu-common.8.dylib (*) <9a24f984-8a16-39d4-a5cc-5d5c303f349e> /Users/USER/*/liburcu-common.8.dylib
0x104ea0000 - 0x104ebffff liblzma.5.dylib (*) <67f10b23-041f-3578-b51c-22d5a66c7ff7> /opt/local/lib/liblzma.5.dylib
0x10513c000 - 0x10523ffff libiconv.2.dylib (*) <5fec81f0-90a7-34f9-afa5-27882cebd803> /opt/local/lib/libiconv.2.dylib
0x10592c000 - 0x105abbfff libicui18n.74.1.dylib (*) <b9f63e5c-0953-3fdd-818f-5281f283526a> /opt/local/lib/libicui18n.74.1.dylib
0x105be0000 - 0x105d13fff libicuuc.74.1.dylib (*) <34bfb2bf-1dd1-3d1f-9ce9-fdfd37ff8475> /opt/local/lib/libicuuc.74.1.dylib
0x107b34000 - 0x109893fff libicudata.74.1.dylib (*) <364b1ef5-ef47-32b8-a939-f19d872051a7> /opt/local/lib/libicudata.74.1.dylib
0x1045cc000 - 0x1045d3fff libkrb5support.1.1.dylib (*) <986d8b90-c209-3c3c-b319-b5d8a61c7aca> /opt/local/lib/libkrb5support.1.1.dylib
0x104610000 - 0x10461bfff libintl.8.dylib (*) <149107de-c05b-36cc-9fdc-a7a784cec35f> /opt/local/lib/libintl.8.dylib
0x105020000 - 0x10505bfff libncurses.6.dylib (*) <64dbc603-ea0b-3259-8ba5-d0fbd3d5954c> /opt/local/lib/libncurses.6.dylib
0x19ff37000 - 0x19ff70fe7 libsystem_kernel.dylib (*) <6024d562-0a3b-3568-8ee2-1741160ba022> /usr/lib/system/libsystem_kernel.dylib
0x19ff71000 - 0x19ff7dfff libsystem_pthread.dylib (*) <7acb080f-eabe-3a59-8d9f-7459f33bb263> /usr/lib/system/libsystem_pthread.dylib
0x19fe0f000 - 0x19fe8dff7 libsystem_c.dylib (*) <840fe68c-8175-347b-bfb1-3b6bce431935> /usr/lib/system/libsystem_c.dylib
0x19fc1a000 - 0x19fca8587 dyld (*) <b35b0343-b5b9-3204-8eba-8dad651a4e3a> /usr/lib/dyld
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=965.2M resident=0K(0%) swapped_out_or_unallocated=965.2M(100%)
Writable regions: Total=596.5M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=596.5M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
CoreMedia Capture Data 13.5M 49
Kernel Alloc Once 32K 1
MALLOC 137.2M 13
MALLOC guard page 96K 6
MALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)
STACK GUARD 48K 3
Stack 65.0M 3
__AUTH 320K 62
__AUTH_CONST 3740K 147
__DATA 3079K 170
__DATA_CONST 5190K 178
__DATA_DIRTY 361K 58
__LINKEDIT 808.6M 32
__OBJC_RO 66.4M 1
__OBJC_RW 2012K 1
__TEXT 156.6M 187
dyld private memory 272K 2
shared memory 32K 2
=========== ======= =======
TOTAL 1.6G 916
TOTAL, minus reserved VM space 1.2G 916
-----------
Full Report
-----------
{"app_name":"nsupdate","timestamp":"2024-01-12 16:55:40.00 +1100","app_version":"","slice_uuid":"fc5fc9ca-b970-4719-8d9d-1c52d49b85ca","build_version":"","platform":1,"share_with_app_devs":1,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.6.3 (22G436)","roots_installed":0,"incident_id":"3CBD864A-8D4D-434C-BA89-1EA680808DA3","name":"nsupdate"}
{
"uptime" : 1300000,
"procRole" : "Unspecified",
"version" : 2,
"userID" : 505,
"deployVersion" : 210,
"modelCode" : "MacBookPro17,1",
"coalitionID" : 1082,
"osVersion" : {
"train" : "macOS 13.6.3",
"build" : "22G436",
"releaseType" : "User"
},
"captureTime" : "2024-01-12 16:55:38.9877 +1100",
"incident" : "3CBD864A-8D4D-434C-BA89-1EA680808DA3",
"pid" : 60914,
"translated" : false,
"cpuType" : "ARM-64",
"roots_installed" : 0,
"bug_type" : "309",
"procLaunch" : "2024-01-12 16:55:38.0241 +1100",
"procStartAbsTime" : 33266850463036,
"procExitAbsTime" : 33266865919747,
"procName" : "nsupdate",
"procPath" : "\/Users\/USER\/*\/nsupdate",
"parentProc" : "Exited process",
"parentPid" : 88632,
"coalitionName" : "com.apple.Terminal",
"crashReporterKey" : "E43701DF-63DC-8EF6-83FC-FFBFB7819AE8",
"responsiblePid" : 1931,
"responsibleProc" : "Terminal",
"codeSigningID" : "nsupdate",
"codeSigningTeamID" : "",
"codeSigningFlags" : 570556929,
"codeSigningValidationCategory" : 10,
"codeSigningTrustLevel" : 0,
"wakeTime" : 12303,
"sleepWakeUUID" : "2E0B9225-F88F-4D2B-82C0-1ADB50A22170",
"sip" : "enabled",
"exception" : {"codes":"0x0000000000000000, 0x0000000000000000","rawCodes":[0,0],"type":"EXC_CRASH","signal":"SIGABRT"},
"termination" : {"flags":0,"code":6,"namespace":"SIGNAL","indicator":"Abort trap: 6","byProc":"nsupdate","byPid":60914},
"asi" : {"libsystem_c.dylib":["abort() called"]},
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":45604294,"threadState":{"x":[{"value":0},{"value":0},{"value":0},{"value":0},{"value":6977784431,"symbolLocation":0,"symbol":"__vfprintf.xdigs_lower"},{"value":6102778736},{"value":54},{"value":0},{"value":16790439999532277229},{"value":16790440005289753837},{"value":2},{"value":4294967293},{"value":1099511627776},{"value":0},{"value":0},{"value":0},{"value":328},{"value":8592175136},{"value":0},{"value":6},{"value":8513134848,"symbolLocation":0,"symbol":"_main_thread"},{"value":259},{"value":8513135072,"symbolLocation":224,"symbol":"_main_thread"},{"value":4386686152},{"value":4386685576},{"value":1},{"value":1},{"value":4386685488},{"value":1}],"flavor":"ARM_THREAD_STATE64","lr":{"value":6978763816},"cpsr":{"value":1073745920},"fp":{"value":6102781280},"sp":{"value":6102781248},"esr":{"value":1442840704,"description":" Address size fault"},"pc":{"value":6978537284,"matchesCrashFrame":1},"far":{"value":0}},"queue":"com.apple.main-thread","frames":[{"imageOffset":38724,"symbol":"__pthread_kill","symbolLocation":8,"imageIndex":31},{"imageOffset":27688,"symbol":"pthread_kill","symbolLocation":288,"imageIndex":32},{"imageOffset":486120,"symbol":"abort","symbolLocation":180,"imageIndex":33},{"imageOffset":175796,"sourceLine":49,"sourceFile":"assertions.c","symbol":"isc_assertion_failed","imageIndex":1,"symbolLocation":60},{"imageOffset":1639884,"sourceLine":198,"sourceFile":"request.c","symbol":"dns_requestmgr_shutdown","imageIndex":2,"symbolLocation":268},{"imageOffset":21684,"sourceLine":741,"sourceFile":"nsupdate.c","symbol":"maybeshutdown","imageIndex":0,"symbolLocation":60},{"imageOffset":44764,"sourceLine":2452,"sourceFile":"nsupdate.c","symbol":"update_completed","imageIndex":0,"symbolLocation":112},{"imageOffset":1654116,"sourceLine":949,"sourceFile":"request.c","symbol":"req_sendevent_cb","imageIndex":2,"symbolLocation":40},{"imageOffset":177220,"sourceLine":111,"sourceFile":"async.c","symbol":"isc__async_cb","imageIndex":1,"symbolLocation":448},{"imageOffset":25540,"symbol":"uv__async_io","symbolLocation":320,"imageIndex":12},{"imageOffset":90592,"symbol":"uv__io_poll","symbolLocation":1748,"imageIndex":12},{"imageOffset":26556,"symbol":"uv_run","symbolLocation":244,"imageIndex":12},{"imageOffset":317680,"sourceLine":282,"sourceFile":"loop.c","symbol":"loop_thread","imageIndex":1,"symbolLocation":372},{"imageOffset":444692,"sourceLine":85,"sourceFile":"thread.c","symbol":"thread_body","imageIndex":1,"symbolLocation":88},{"imageOffset":444556,"sourceLine":116,"sourceFile":"thread.c","symbol":"isc_thread_main","imageIndex":1,"symbolLocation":104},{"imageOffset":317004,"sourceLine":454,"sourceFile":"loop.c","symbol":"isc_loopmgr_run","imageIndex":1,"symbolLocation":472},{"imageOffset":7844,"sourceLine":3483,"sourceFile":"nsupdate.c","symbol":"main","imageIndex":0,"symbolLocation":420},{"imageOffset":24360,"symbol":"start","symbolLocation":2236,"imageIndex":34}]},{"id":45604295,"frames":[{"imageOffset":38996,"symbol":"poll","symbolLocation":8,"imageIndex":31},{"imageOffset":22728,"sourceLine":139,"sourceFile":"compat_futex.c","symbol":"compat_futex_async","imageIndex":21,"symbolLocation":76},{"symbol":"futex_async","inline":true,"imageIndex":21,"imageOffset":10276,"symbolLocation":28,"sourceLine":193,"sourceFile":"futex.h"},{"imageOffset":10276,"sourceLine":135,"sourceFile":"workqueue.c","symbol":"futex_wait","imageIndex":21,"symbolLocation":88},{"imageOffset":9564,"sourceLine":246,"sourceFile":"workqueue.c","symbol":"workqueue_thread","imageIndex":21,"symbolLocation":796},{"imageOffset":28584,"symbol":"_pthread_start","symbolLocation":148,"imageIndex":32},{"imageOffset":7584,"symbol":"thread_start","symbolLocation":8,"imageIndex":32}]},{"id":45604816,"frames":[{"imageOffset":38996,"symbol":"poll","symbolLocation":8,"imageIndex":31},{"imageOffset":23824,"sourceLine":139,"sourceFile":"compat_futex.c","symbol":"compat_futex_async","imageIndex":20,"symbolLocation":76},{"symbol":"futex_async","inline":true,"imageIndex":20,"imageOffset":15652,"symbolLocation":28,"sourceLine":193,"sourceFile":"futex.h"},{"symbol":"wait_gp","inline":true,"imageIndex":20,"imageOffset":15652,"symbolLocation":44,"sourceLine":267,"sourceFile":"urcu.c"},{"imageOffset":15652,"sourceLine":359,"sourceFile":"urcu.c","symbol":"wait_for_readers","imageIndex":20,"symbolLocation":380},{"imageOffset":14924,"sourceLine":500,"sourceFile":"urcu.c","symbol":"urcu_memb_synchronize_rcu","imageIndex":20,"symbolLocation":476},{"imageOffset":22252,"sourceLine":381,"sourceFile":"urcu-call-rcu-impl.h","symbol":"call_rcu_thread","imageIndex":20,"symbolLocation":384},{"imageOffset":28584,"symbol":"_pthread_start","symbolLocation":148,"imageIndex":32},{"imageOffset":7584,"symbol":"thread_start","symbolLocation":8,"imageIndex":32}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "arm64",
"base" : 4364058624,
"size" : 65536,
"uuid" : "fc5fc9ca-b970-4719-8d9d-1c52d49b85ca",
"path" : "\/Users\/USER\/*\/nsupdate",
"name" : "nsupdate"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4365385728,
"size" : 638976,
"uuid" : "6553893e-d490-4ced-97f1-6f2ab6fc025b",
"path" : "\/Users\/USER\/*\/libisc-9.19.21-dev.dylib",
"name" : "libisc-9.19.21-dev.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4369825792,
"size" : 2801664,
"uuid" : "350ca5b7-cb2b-46f8-9592-d7870788e644",
"path" : "\/Users\/USER\/*\/libdns-9.19.21-dev.dylib",
"name" : "libdns-9.19.21-dev.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4364845056,
"size" : 212992,
"uuid" : "500e50a8-58e3-4ee5-bd13-5be5df9ee128",
"path" : "\/Users\/USER\/*\/libisccfg-9.19.21-dev.dylib",
"name" : "libisccfg-9.19.21-dev.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4366778368,
"size" : 344064,
"uuid" : "d3c1a218-875c-45d8-92ec-e68a5824c086",
"path" : "\/Users\/USER\/*\/libns-9.19.21-dev.dylib",
"name" : "libns-9.19.21-dev.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4364550144,
"size" : 16384,
"uuid" : "c6878189-90b5-3d08-84f3-de63d925a475",
"path" : "\/opt\/local\/lib\/libmaxminddb.0.dylib",
"name" : "libmaxminddb.0.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4364713984,
"size" : 65536,
"uuid" : "d0a90a8e-5def-39e0-95ba-4d616af7843d",
"path" : "\/opt\/local\/lib\/liblmdb.dylib",
"name" : "liblmdb.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4365221888,
"size" : 65536,
"uuid" : "4a63b405-84ae-37fa-973c-c99ab2634dd6",
"path" : "\/opt\/local\/lib\/libz.1.3.dylib",
"name" : "libz.1.3.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4373348352,
"size" : 1441792,
"uuid" : "e64634dc-6335-326d-bad8-693b384a3426",
"path" : "\/Users\/USER\/*\/libjemalloc.2.dylib",
"name" : "libjemalloc.2.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4366303232,
"size" : 32768,
"uuid" : "55d0e643-f390-30c0-afb8-bb90ad791aae",
"path" : "\/opt\/local\/lib\/libjson-c.2.dylib",
"name" : "libjson-c.2.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4367253504,
"size" : 131072,
"uuid" : "04ae6ed8-9919-383a-a3bd-49cfda4df482",
"path" : "\/opt\/local\/lib\/libnghttp2.14.dylib",
"name" : "libnghttp2.14.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4368613376,
"size" : 917504,
"uuid" : "275b0d3d-c45c-3a11-9647-f59ff0501dfc",
"path" : "\/opt\/local\/lib\/libxml2.2.dylib",
"name" : "libxml2.2.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4367466496,
"size" : 114688,
"uuid" : "076fd891-2017-328a-a7d4-89d9faf42dde",
"path" : "\/opt\/local\/lib\/libuv.1.dylib",
"name" : "libuv.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4376608768,
"size" : 540672,
"uuid" : "b0393f6d-2afe-313d-bf36-e5f919b9e6cb",
"path" : "\/opt\/local\/libexec\/*\/libssl.3.dylib",
"name" : "libssl.3.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4381523968,
"size" : 2965504,
"uuid" : "3189ddc3-b9ec-33cb-af81-0a7f01bd4280",
"path" : "\/opt\/local\/libexec\/*\/libcrypto.3.dylib",
"name" : "libcrypto.3.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4367728640,
"size" : 212992,
"uuid" : "0223e7e9-a50c-3d53-96fa-841a0b2125b6",
"path" : "\/opt\/local\/lib\/libgssapi_krb5.2.2.dylib",
"name" : "libgssapi_krb5.2.2.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4378198016,
"size" : 524288,
"uuid" : "60f5165b-b650-3afe-b99a-49b8c4a8213d",
"path" : "\/opt\/local\/lib\/libkrb5.3.3.dylib",
"name" : "libkrb5.3.3.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4366499840,
"size" : 65536,
"uuid" : "3b40599e-83d4-36d9-bf5d-978b55a6186a",
"path" : "\/opt\/local\/lib\/libk5crypto.3.1.dylib",
"name" : "libk5crypto.3.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4364615680,
"size" : 16384,
"uuid" : "ddbf7057-c200-3a1c-8279-03a92e74e9a0",
"path" : "\/opt\/local\/lib\/libcom_err.1.1.dylib",
"name" : "libcom_err.1.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4368236544,
"size" : 131072,
"uuid" : "a368e05a-b24b-3f87-885c-176dd89d538f",
"path" : "\/opt\/local\/lib\/libedit.0.dylib",
"name" : "libedit.0.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4366614528,
"size" : 32768,
"uuid" : "bfb91bed-832b-3dfe-9ba0-0a0ed23bf291",
"path" : "\/Users\/USER\/*\/liburcu.8.dylib",
"name" : "liburcu.8.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4368039936,
"size" : 32768,
"uuid" : "fce9d042-2e9d-3f6a-bd48-2c436aa2c3be",
"path" : "\/Users\/USER\/*\/liburcu-cds.8.dylib",
"name" : "liburcu-cds.8.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4365320192,
"size" : 16384,
"uuid" : "9a24f984-8a16-39d4-a5cc-5d5c303f349e",
"path" : "\/Users\/USER\/*\/liburcu-common.8.dylib",
"name" : "liburcu-common.8.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4377411584,
"size" : 131072,
"uuid" : "67f10b23-041f-3578-b51c-22d5a66c7ff7",
"path" : "\/opt\/local\/lib\/liblzma.5.dylib",
"name" : "liblzma.5.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4380147712,
"size" : 1064960,
"uuid" : "5fec81f0-90a7-34f9-afa5-27882cebd803",
"path" : "\/opt\/local\/lib\/libiconv.2.dylib",
"name" : "libiconv.2.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4388470784,
"size" : 1638400,
"uuid" : "b9f63e5c-0953-3fdd-818f-5281f283526a",
"path" : "\/opt\/local\/lib\/libicui18n.74.1.dylib",
"name" : "libicui18n.74.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4391305216,
"size" : 1261568,
"uuid" : "34bfb2bf-1dd1-3d1f-9ce9-fdfd37ff8475",
"path" : "\/opt\/local\/lib\/libicuuc.74.1.dylib",
"name" : "libicuuc.74.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4424155136,
"size" : 30801920,
"uuid" : "364b1ef5-ef47-32b8-a939-f19d872051a7",
"path" : "\/opt\/local\/lib\/libicudata.74.1.dylib",
"name" : "libicudata.74.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4368154624,
"size" : 32768,
"uuid" : "986d8b90-c209-3c3c-b319-b5d8a61c7aca",
"path" : "\/opt\/local\/lib\/libkrb5support.1.1.dylib",
"name" : "libkrb5support.1.1.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4368433152,
"size" : 49152,
"uuid" : "149107de-c05b-36cc-9fdc-a7a784cec35f",
"path" : "\/opt\/local\/lib\/libintl.8.dylib",
"name" : "libintl.8.dylib"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4378984448,
"size" : 245760,
"uuid" : "64dbc603-ea0b-3259-8ba5-d0fbd3d5954c",
"path" : "\/opt\/local\/lib\/libncurses.6.dylib",
"name" : "libncurses.6.dylib"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6978498560,
"size" : 237544,
"uuid" : "6024d562-0a3b-3568-8ee2-1741160ba022",
"path" : "\/usr\/lib\/system\/libsystem_kernel.dylib",
"name" : "libsystem_kernel.dylib"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6978736128,
"size" : 53248,
"uuid" : "7acb080f-eabe-3a59-8d9f-7459f33bb263",
"path" : "\/usr\/lib\/system\/libsystem_pthread.dylib",
"name" : "libsystem_pthread.dylib"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6977286144,
"size" : 520184,
"uuid" : "840fe68c-8175-347b-bfb1-3b6bce431935",
"path" : "\/usr\/lib\/system\/libsystem_c.dylib",
"name" : "libsystem_c.dylib"
},
{
"source" : "P",
"arch" : "arm64e",
"base" : 6975234048,
"size" : 583048,
"uuid" : "b35b0343-b5b9-3204-8eba-8dad651a4e3a",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
}
],
"sharedCache" : {
"base" : 6974570496,
"size" : 3585916928,
"uuid" : "eccd2a5c-66b8-3acf-a00a-c68fea25a443"
},
"vmSummary" : "ReadOnly portion of Libraries: Total=965.2M resident=0K(0%) swapped_out_or_unallocated=965.2M(100%)\nWritable regions: Total=596.5M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=596.5M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nCoreMedia Capture Data 13.5M 49 \nKernel Alloc Once 32K 1 \nMALLOC 137.2M 13 \nMALLOC guard page 96K 6 \nMALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)\nSTACK GUARD 48K 3 \nStack 65.0M 3 \n__AUTH 320K 62 \n__AUTH_CONST 3740K 147 \n__DATA 3079K 170 \n__DATA_CONST 5190K 178 \n__DATA_DIRTY 361K 58 \n__LINKEDIT 808.6M 32 \n__OBJC_RO 66.4M 1 \n__OBJC_RW 2012K 1 \n__TEXT 156.6M 187 \ndyld private memory 272K 2 \nshared memory 32K 2 \n=========== ======= ======= \nTOTAL 1.6G 916 \nTOTAL, minus reserved VM space 1.2G 916 \n",
"legacyInfo" : {
"threadTriggered" : {
"queue" : "com.apple.main-thread"
}
},
"logWritingSignature" : "490eba448e2f7f291b7eb689c23aab8ca82c55b9",
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "639124e81d92412bfb4880b3",
"factorPackIds" : {
},
"deploymentId" : 240000012
},
{
"rolloutId" : "60186475825c62000ccf5450",
"factorPackIds" : {
},
"deploymentId" : 240000068
}
],
"experiments" : [
]
}
}
```March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)