BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2018-08-14T08:09:18Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/474mempool is broken if object size is below the alignment size2018-08-14T08:09:18ZEvan Huntmempool is broken if object size is below the alignment sizeNot that it's very likely to come up often, but `isc_mempool_create()` doesn't quantize the object size when it's allocating memory, but `isc_mempool_destroy()` does quantize it when freeing. If the object size is below 8 on a 64 bit sys...Not that it's very likely to come up often, but `isc_mempool_create()` doesn't quantize the object size when it's allocating memory, but `isc_mempool_destroy()` does quantize it when freeing. If the object size is below 8 on a 64 bit system, it will crash in `check_overrun()`.https://gitlab.isc.org/isc-projects/bind9/-/issues/285inline test regularly failing2018-08-14T08:38:59ZStephen Morrisinline test regularly failingThe "inline" system test regularly (but not always) fails on several of the Jenkins machines at the point:
```
I:inline:check rndc retransfer of a inline nsec3 slave retains nsec3 (49)
I:inline:failed
```
This seems to be a timing issue.The "inline" system test regularly (but not always) fails on several of the Jenkins machines at the point:
```
I:inline:check rndc retransfer of a inline nsec3 slave retains nsec3 (49)
I:inline:failed
```
This seems to be a timing issue.https://gitlab.isc.org/isc-projects/bind9/-/issues/471Intermittent rbt_insert_and_remove unit test failures2018-08-14T09:11:19ZMichał KępieńIntermittent rbt_insert_and_remove unit test failuresOne failure observed so far in https://gitlab.isc.org/isc-projects/bind9/-/jobs/33413:
```
lib/dns/tests/rbt_test:rbt_insert_and_remove -> failed: 2 checks failed; see output for more details [9.538s]
```
Test output:
```
*** Check...One failure observed so far in https://gitlab.isc.org/isc-projects/bind9/-/jobs/33413:
```
lib/dns/tests/rbt_test:rbt_insert_and_remove -> failed: 2 checks failed; see output for more details [9.538s]
```
Test output:
```
*** Check failed: rbt_test.c:962: names_count + 1 != dns_rbt_nodecount(mytree): line:1031: 2 != 1
*** Check failed: rbt_test.c:962: names_count + 1 != dns_rbt_nodecount(mytree): line:1041: 1 != 0
```Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/424nsupdate tests fail intermittently2018-08-14T09:36:02ZOndřej Surýnsupdate tests fail intermittentlyOne example:
https://gitlab.isc.org/isc-projects/bind9/-/jobs/25964One example:
https://gitlab.isc.org/isc-projects/bind9/-/jobs/25964https://gitlab.isc.org/isc-projects/bind9/-/issues/465Missing check in acl_test.c unit test2018-08-14T16:13:06ZStephen MorrisMissing check in acl_test.c unit testThe Jenkins cppcheck job reports that a variable in acl_test.c is assigned a value that is never used. The code in question is at line 93 and is:
```
090 result = dns_acl_create(mctx, 1, &notgeoip);
091 ATF_REQUIRE_EQ(result, ISC_R_...The Jenkins cppcheck job reports that a variable in acl_test.c is assigned a value that is never used. The code in question is at line 93 and is:
```
090 result = dns_acl_create(mctx, 1, ¬geoip);
091 ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
092
093 result = dns_acl_merge(notgeoip, geoip, ISC_FALSE);
094 #endif
095
096 ATF_CHECK(dns_acl_isinsecure(any)); /* any; */
```
It would seem that an ATF_REQUIRE_EQ check is required after the call to dns_acl_merge.https://gitlab.isc.org/isc-projects/bind9/-/issues/460Improved, comprehensive logging of NTA additions and removals [ISC-Support #8...2018-08-14T23:17:36ZVicky Riskvicky@isc.orgImproved, comprehensive logging of NTA additions and removals [ISC-Support #8279]user request is for a log message *at the time when an NTA is expired*, ideally with a reason.
> What we would really like to see is just a message at the
> expired point. Something we can trigger on predictably.
> "<zone> NTA expired d...user request is for a log message *at the time when an NTA is expired*, ideally with a reason.
> What we would really like to see is just a message at the
> expired point. Something we can trigger on predictably.
> "<zone> NTA expired due to time"
> "<zone> NTA expired due to zone revalidating"
> "<zone> NTA removed at user request" (rndc nta -remove)
> "<zone> NTA expired due to <other reasons>"
This was discussed at the weekly meeting, and Mukund said
that a timer might need to be added to the NTA code, so as
to watch/track NTAs.
<muks>
Note that we do log NTA expiry before a "resolution fails because the
NTA has been removed". But it isn't logged at the exact second the NTA
expires.. it is cleaned up lazily when we attempt to use it next.
--------------
The customer's use case:
> The main purpose would be for Tier I helpdesk awareness. We would incorporate this into our existing log analysis system to generate reports that detail why an NTA was removed and when. The most immediate use case I can think of is a signed domain whose signatures have expired that requested an NTA and is now getting complaints about resolution failing. As we talked about we would want to get the current status through real-time queries but knowing the cause of the removal would help reduce call escalation.
>
> It occurs to me that our use case may be different from an external recursive server so this may seem like an odd request. The recursive servers where we will utilize NTA are at the enterprise level and provide recursion for the internal namespace. That internal namespace is very fractured and maintained by over a thousand different groups. So the support structure for those enterprise recursive servers need to be able to answer when there are problems in any of that namespace. Knowing resolution is failing because the NTA has been removed and why will help overall understanding and ticket routing.
Tagging with 9.13.3, hoping to get this into 9.14.0BIND-9.13.3https://gitlab.isc.org/isc-projects/bind9/-/issues/478Remove support for unthreaded BIND2018-08-16T19:09:45ZWitold KrecickiRemove support for unthreaded BINDThreads are supported virtually anywhere, removing support for unthreaded version of BIND cleans up code and it's a sane thing to do.Threads are supported virtually anywhere, removing support for unthreaded version of BIND cleans up code and it's a sane thing to do.Witold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/462Full Recv-Queue2018-08-20T07:58:51ZGhost UserFull Recv-Queue<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
After a few hours, the bind will no longer respond to all LISTEN addresses.
OS: netbsd-8, bind-9.10.7 and bind-9.10.8
### Steps to reproduce
I can not generate the error.
### What is the current *bug* behavior?
After some time, the bind will not respond to all listen addresses. netstat Shows:
udp 4899 0 139.18.25.33.53 *.*
udp 0 0 139.18.25.34.53 *.*
Requests for IP IP 139.18.25.34 will be answered correctly. Requests for IP 139.18.25.33 will not be answered. netstat shows a full queue for incoming packets on this IP. It does not always affect this IP, it also happens that another of the listen addresses is affected. It only helps restart the named. After that, everything works correctly for a while.
### What is the expected *correct* behavior?
expected is an empty Recv-Queue
### Relevant configuration files
options {
directory "/etc/namedb";
dnssec-enable yes;
dnssec-validation auto;
allow-recursion { any; };
rate-limit {
responses-per-second 25;
exempt-clients {127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; 139.18.0.0/16; 2001:638:902::0/48; };
};
listen-on { 139.18.25.33; 139.18.25.34; 192.88.99.1; };
listen-on-v6 { 2001:638:902:1::1; 2001:638:902:1::10; };
};
### Relevant logs and/or screenshots
Nothing found in the logfiles.
### Possible fixeshttps://gitlab.isc.org/isc-projects/bind9/-/issues/485Problems linking against pthreads in bin/tests/optional2018-08-21T12:32:50ZStephen MorrisProblems linking against pthreads in bin/tests/optionalJenkins builds have started to fail when building files in bin/test/optional, apparently unable to link to the pthreads library. The cause appears to be a missing "-lpthreads" somewhere in the build scripts. The failure occurs on multi...Jenkins builds have started to fail when building files in bin/test/optional, apparently unable to link to the pthreads library. The cause appears to be a missing "-lpthreads" somewhere in the build scripts. The failure occurs on multiple systems, including Ubuntu 16.04 and FreeBSD 11.https://gitlab.isc.org/isc-projects/bind9/-/issues/3909.11.3 -> NOERROR / 9.12.X -> SERVFAIL2018-08-22T08:43:00ZGhost User9.11.3 -> NOERROR / 9.12.X -> SERVFAIL### Summary
SERVFAIL for some domains - for example:<br/>
<br/>
www.eclipse.org<br/>
www.redcross.ca<br/>
<br/>
after upgrading from 9.11.3 -> 9.12.0 / 9.12.1.-P2<br/>
<br/>
### Steps to reproduce<br/>
[same config in tests]<br/>
9.1...### Summary
SERVFAIL for some domains - for example:<br/>
<br/>
www.eclipse.org<br/>
www.redcross.ca<br/>
<br/>
after upgrading from 9.11.3 -> 9.12.0 / 9.12.1.-P2<br/>
<br/>
### Steps to reproduce<br/>
[same config in tests]<br/>
9.11.3 -> resolves / NOERROR<br/>
9.12.X -> does not resolve at all / SERVFAIL<br/>
<br/>
Reading through the release notes I cannot spot<br/>
anything worth trying.<br/>
<br/>
Logs (with trace 99) + configfiles + console output + dumpdb:<br/>
<br/>
https://www.undermydesk.org/servfail/working-9-11-3/<br/>
https://www.undermydesk.org/servfail/servfail-9-12-0/<br/>
<br/>https://gitlab.isc.org/isc-projects/bind9/-/issues/482Signatures loaded from the secure journal of an inline-signed zone are never ...2018-08-22T09:21:23ZMichał KępieńSignatures loaded from the secure journal of an inline-signed zone are never refreshed`DNS_JOURNALOPT_RESIGN` is not set when journal rollforward is performed for the signed version of an inline-signed zone, which prevents scheduling refresh events for signatures loaded from that journal.
Note that under certain circumst...`DNS_JOURNALOPT_RESIGN` is not set when journal rollforward is performed for the signed version of an inline-signed zone, which prevents scheduling refresh events for signatures loaded from that journal.
Note that under certain circumstances (e.g. signing keys not being available when inline signing is first enabled for a zone), this issue may affect records at the zone apex.Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/438named occasionally stops zone resigning and reloading with inline signing2018-08-22T10:01:27ZAxel Raunamed occasionally stops zone resigning and reloading with inline signing### bind version in use:
<pre>BIND 9.12.1-P2 <id:14b0e01>
running on FreeBSD amd64 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
built by make wi...### bind version in use:
<pre>BIND 9.12.1-P2 <id:14b0e01>
running on FreeBSD amd64 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--enable-threads' '--with-tuning=default' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CC=clang' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=clang-cpp'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 4.0.0 (tags/RELEASE_400/final 297347)
compiled with OpenSSL version: OpenSSL 1.0.2k-freebsd 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with libjson-c version: 0.13
linked to libjson-c version: 0.13
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
</pre>
### Summary
named (9.11 or 9.12) sometimes fails to load a changed master file and to resign the zone after a rndc reload. To recover from this, the journal files must be deleted.
The issue has been discussed here:
https://marc.info/?l=bind-users&m=152837141204255&w=2
Zone file and config file available on request.
### Steps to reproduce
1. Add a RR and set the SOA serial to a new value (1st change today would be 2018072500) in master file.
2. Give a rndc reload command.
3. Query for SOA and added RR with dig.
* Expected changes are missing.
4. Give a rndc zonestatus.
* "last loaded:" shows old value.
* "serial:" shows 2018072500
* "signed serial:" shows 2018072500
### Relevant scripts
Keys, sigs and unattended maintenance of DS-RR upstream are handled by this script:
https://github.com/mc3/DSKM
using dnssec-keygen, nssec-dsfromkey and dnssec-settime.
### Relevant configuration files
```
relevant part of server config file:
options {
serial-update-method date;
}; // options
relevant part of zone file:
zone "lrau.net" in {
type master;
file "master/signed/lrau.net/lrau.net.zone";
key-directory "master/signed/lrau.net/";
auto-dnssec maintain;
inline-signing yes;
dnssec-secure-to-insecure no;
also-notify {
1.2.3.4;
5.6.7.8;
};
};
```
### Transcript of bug occurence today
<pre>
prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072403
signed serial: 2018072430
nodes: 89
last loaded: Tue, 24 Jul 2018 19:08:01 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 11:08:02 GMT
next resign node: lrau.net/MX
next resign time: Thu, 16 Aug 2018 06:09:55 GMT
dynamic: no
reconfigurable via modzone: no
</pre>
<pre>diff lrau.net.zone lrau.net.zone.back
7c7
< 2018072500 ; Serial number
---
> 2018072403 ; Serial number
229,230c229
< voip-gw1 IN A 91.216.35.210
< IN AAAA 2a05:bec0:26:18::210
---
> voip-gw1 IN A 91.216.35.210</pre>
<pre>prompt: rndc reload
server reload successful</pre>
relevant log entries:
<pre>13:00:03 zone lrau.net/IN (signed): next key event: 25-Jul-2018 14:00:31.162
13:00:03 reloading zones succeeded
13:00:03 zone lrau.net/IN (unsigned): loaded serial 2018072500
13:00:03 zone lrau.net/IN (signed): serial 2018072500 (unsigned 2018072500)
13:00:03 all zones loaded</pre>
<pre>prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072500
signed serial: 2018072500
nodes: 89
last loaded: Tue, 24 Jul 2018 19:08:01 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 12:00:31 GMT
next resign node: lrau.net/MX
next resign time: Thu, 16 Aug 2018 06:09:55 GMT
dynamic: no</pre>
<pre>prompt: ls -l
total 181
-rw-r--r-- 1 bind pki_op 536 May 11 15:55 Klrau.net.+008+02496.key
-rw------- 1 bind pki_op 1060 May 11 15:55 Klrau.net.+008+02496.private
-rw-r--r-- 1 bind pki_op 711 May 27 00:55 Klrau.net.+008+24919.key
-rw------- 1 bind pki_op 1824 May 27 00:55 Klrau.net.+008+24919.private
-rw-r--r-- 1 bind pki_op 537 Jul 10 15:55 Klrau.net.+008+60714.key
-rw------- 1 bind pki_op 1060 Jul 10 15:55 Klrau.net.+008+60714.private
drwxr-x--- 2 bind wheel 3 Nov 15 2012 RCS
-rw-rw-r-- 1 bind pki_op 0 Jun 15 17:05 acme_challenges.inc
-rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav4.lrau.net.tlsa
-rw-r----- 1 bind wheel 456 Aug 14 2012 dnssec-conf-lrau.net
-rw-r----- 1 bind wheel 308 Jul 25 11:55 dnssec-stat-lrau.net
-rw-rw-r-- 1 bind pki_op 109 Jun 13 20:05 git3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 109 Jun 13 20:05 git4.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 218 Jun 6 18:05 imap.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 220 Jun 6 18:05 imap3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 220 Jun 6 18:05 imap4.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 110 Jun 14 12:05 lists3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 110 Jun 14 12:05 lists4.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 6611 Jul 25 12:52 lrau.net.zone
-rw-r--r-- 1 root pki_op 6577 Jul 25 12:25 lrau.net.zone.back
-rw-r--r-- 1 bind pki_op 512 Jul 24 21:08 lrau.net.zone.jbk
-rw-r--r-- 1 bind pki_op 731 Jul 25 13:00 lrau.net.zone.jnl
-rw-r--r-- 1 bind pki_op 50361 Jul 24 21:19 lrau.net.zone.signed
-rw-r--r-- 1 bind pki_op 58381 Jul 25 13:00 lrau.net.zone.signed.jnl
-rw-rw-r-- 1 bind pki_op 112 Jun 6 19:05 mailout3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 112 Jun 6 19:05 mailout4.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 107 Jun 6 21:05 mx3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 107 Jun 6 21:05 mx4.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 0 Nov 1 2016 timap.lrau.net.tlsa
-rw-rw-r-- 1 root pki_op 332 Jun 22 13:05 timap3.lrau.net.tlsa
-rw-rw-r-- 1 bind pki_op 0 Oct 29 2016 tmx.lrau.net.tlsa
-rw-rw-r-- 1 root pki_op 108 Jun 22 13:05 tmx3.lrau.net.tlsa</pre>
<pre>promt: named-checkzone lrau.net master/signed/lrau.net/lrau.net.zone
zone lrau.net/IN: loaded serial 2018072500
OK</pre>
<pre>prompt: service named stop
Stopping named.
Waiting for PIDS: 54208.</pre>
<pre>prompt: rm *.jbk *.jnl *.signed
prompt: service named start
Starting named.</pre>
<pre>prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072500
signed serial: 2018072527
nodes: 89
last loaded: Wed, 25 Jul 2018 11:34:00 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 12:34:00 GMT
next resign node: uplink.bu.lrau.net/NSEC
next resign time: Thu, 16 Aug 2018 22:44:02 GMT
dynamic: no
reconfigurable via modzone: no
prompt: </pre>https://gitlab.isc.org/isc-projects/bind9/-/issues/480BIND 9.11.4 fails to send expected notifies for zone which uses inline signing2018-08-22T10:01:29ZMichael McNallyBIND 9.11.4 fails to send expected notifies for zone which uses inline signing### Summary
Klaus H. reported this issue to us via the website bug submission form. He states:
> We are using bind 9.11.3 on a dns server configuration with a hidden master.
> We are using dnssec (NSEC3) with inline signing taking pl...### Summary
Klaus H. reported this issue to us via the website bug submission form. He states:
> We are using bind 9.11.3 on a dns server configuration with a hidden master.
> We are using dnssec (NSEC3) with inline signing taking place on the hidden master.
> The configuration works as expected.
> After upgrading to bind 9.11.4-P1 the hidden master
> no longer sends notifications to any other dns server.
### Steps to reproduce
He says he does nothing special to cause the bug to manifest.
1. bind 9.11.3 is running
1. systemctl stop named-chroot
1. uninstall bind 9.11.3
1. install bind 9.11.4-P1
1. systemctl start named-chroot
At that point bind does inline signing but does not send notifications when
a signed zone is changed.
Unsigned zones work as before.
### Related Issue?
This appears very similar to https://gitlab.isc.org/isc-projects/bind9/issues/438, although that issue was reported against 9.12.1. I rather suspect they will turn out to share a cause but I am creating this ticket separately until we have actual evidence to support that conclusion.https://gitlab.isc.org/isc-projects/bind9/-/issues/291No way to log NXDOMAIN reply?2018-08-22T10:14:34ZGhost UserNo way to log NXDOMAIN reply?### Description
As I said in another post, I'm new to setting up my own DNS / BIND, and I have been trying to figure out how to log NXDOMAIN replies; IE when named authoritatively answers "That doesn't exist" to a query for something li...### Description
As I said in another post, I'm new to setting up my own DNS / BIND, and I have been trying to figure out how to log NXDOMAIN replies; IE when named authoritatively answers "That doesn't exist" to a query for something like "fjdkwoadghasdeithgggg.com".
It would be nice to add the actual *reply* sent to the client instead of just what the client requested.
If this is already possible with BIND, please let me know how. I set up a config file to include ALL logging categories to a single file and then grepped through it for NXDOMAIN or some hint to "does not exist" as an answer, and found nothing. 1500 lines of text for 3 DNS queries, and there's not a single "NXDOMAIN" in it.
### Request
Add *reply* sent to client to logging, not just client request
### Links / references
https://serverfault.com/questions/913528/named-log-nxdomain-queries-at-the-serverMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/490telemetry misspelled as telementry2018-08-22T18:50:21ZGhost Usertelemetry misspelled as telementry### Summary
"telemetry" is misspelled "telementry" in several places, including:
CHANGES
lib/dns/name.c
lib/dns/include/dns/name.h
lib/dns/tests/name_test.c
seen in at least 9.10.8 & 9.12.2
### Steps to reproduce
grep th...### Summary
"telemetry" is misspelled "telementry" in several places, including:
CHANGES
lib/dns/name.c
lib/dns/include/dns/name.h
lib/dns/tests/name_test.c
seen in at least 9.10.8 & 9.12.2
### Steps to reproduce
grep the source code
### What is the current *bug* behavior?
for example, see log entry below
### What is the expected *correct* behavior?
the word should be spelled "telemetry"
### Relevant configuration files
not pertinent
### Relevant logs and/or screenshots
named[47141]: trust-anchor-telementry: info: client 128.255.172.203#35219 (root-key-sentinel-not-ta-19036.0ds-u5833f274-c233-s1534821377-i80ffaccb-0.am.dotnxdomain.net): view internal: root-key-sentinel-not-ta query label found
### Possible fixes
fix the spellinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/484Build Fails with --enable-developer when building without libtool2018-08-22T21:00:54ZCurtis BlackburnBuild Fails with --enable-developer when building without libtoolBuild Fails with `--enable-developer` when building master without libtool (same results whether it was not detected, or `--without-libtool` was explicitly specified). This was found across all systems in Jenkins.
example of build failu...Build Fails with `--enable-developer` when building master without libtool (same results whether it was not detected, or `--without-libtool` was explicitly specified). This was found across all systems in Jenkins.
example of build failure (trimmed):
```
gcc -I/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d -I../../.. -I/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d/lib/dns/include -I../../../lib/dns/include -I/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d/lib/isc/include -I../../../lib/isc -I../../../lib/isc/include -I../../../lib/isc/unix/include -I../../../lib/isc/pthreads/include -I../../../lib/isc/x86_32/include -I/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d/lib/isccfg/include -I../../../lib/isccfg/include -I/usr/include -I/home/jenkins/opt/atf/include -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DNS_HOOKS_ENABLE=1 -D_GNU_SOURCE -DNS_HOOKS_ENABLE=1 -g -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -Wshadow -Werror -L/home/jenkins/opt/fstrm/lib -o backtrace_test_nosymtbl \
./backtrace_test.c ../../../lib/isc/libisc.a -L/usr/lib -lcrypto -ldl -lprotobuf-c -lfstrm -ldl -lz -ljson-c -llmdb -lxml2
../../../lib/isc/libisc.a(result.o): In function `initialize':
/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d/lib/isc/result.c:247: undefined reference to `pthread_once'
../../../lib/isc/libisc.a(mutex.o): In function `initialize_attr':
/home/jenkins/workspace/bind9-multiconfig-master/34e98e4d/lib/isc/pthreads/mutex.c:270: undefined reference to `pthread_mutexattr_init'
```https://gitlab.isc.org/isc-projects/bind9/-/issues/436dnstap tests are failing in Jenkins2018-08-23T18:11:47ZCurtis Blackburndnstap tests are failing in JenkinsOutput from the test is below.
The test fails every time it is run, but it looks like there is the possibility that it is a timing issue in the test, rather than an indication of a bug in named/dnstap itself.
```
S:dnstap:Tue Jul 24 12:...Output from the test is below.
The test fails every time it is run, but it looks like there is the possibility that it is a timing issue in the test, rather than an indication of a bug in named/dnstap itself.
```
S:dnstap:Tue Jul 24 12:43:43 PDT 2018
I:dnstap:PORTRANGE:7500 - 7599
I:dnstap:checking that named-checkconf detects error in bad-fstrm-reopen-interval.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-buffer-hint-max.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-buffer-hint-min.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-flush-timeout-max.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-flush-timeout-min.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-input-queue-size-max.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-input-queue-size-min.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-input-queue-size-po2.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-output-notify-threshold.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-output-queue-size-max.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-output-queue-size-min.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-reopen-interval-max.conf
I:dnstap:checking that named-checkconf detects error in bad-fstrm-set-reopen-interval-min.conf
I:dnstap:checking that named-checkconf detects error in bad-size-version.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-reopen-interval.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-buffer-hint.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-flush-timeout.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-input-queue-size.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-output-notify-threshold.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-output-queue-model-mpsc.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-output-queue-model-spsc.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-output-queue-size.conf
I:dnstap:checking that named-checkconf detects no error in good-fstrm-set-reopen-interval.conf
I:dnstap:checking that named-checkconf detects no error in good-size-unlimited.conf
I:dnstap:checking that named-checkconf detects no error in good-size-version.conf
I:dnstap:checking initial message counts
I:dnstap:checking UDP message counts
I:dnstap:ns1 14 expected 0
I:dnstap:ns2 14 expected 2
I:dnstap:ns3 6 expected 4
I:dnstap:failed
I:dnstap:checking TCP message counts
I:dnstap:ns1 28 expected 6
I:dnstap:ns3 18 expected 6
I:dnstap:failed
I:dnstap:checking AUTH_QUERY message counts
I:dnstap:ns1 19 exepcted 2
I:dnstap:ns2 2 expected 1
I:dnstap:failed
I:dnstap:checking AUTH_RESPONSE message counts
I:dnstap:ns1 19 expected 2
I:dnstap:ns2 2 expected 1
I:dnstap:failed
I:dnstap:checking CLIENT_QUERY message counts
I:dnstap:checking CLIENT_RESPONSE message counts
I:dnstap:checking RESOLVER_QUERY message counts
I:dnstap:ns1 1 expected 0
I:dnstap:ns2 5 expected 0
I:dnstap:ns3 10 expected 3
I:dnstap:failed
I:dnstap:checking RESOLVER_RESPONSE message counts
I:dnstap:ns1 1 expected 0
I:dnstap:ns2 5 expected 0
I:dnstap:ns3 10 expected 3
I:dnstap:failed
I:dnstap:checking reopened message counts
I:dnstap:checking UDP message counts
I:dnstap:checking TCP message counts
I:dnstap:checking AUTH_QUERY message counts
I:dnstap:checking AUTH_RESPONSE message counts
I:dnstap:checking CLIENT_QUERY message counts
I:dnstap:checking CLIENT_RESPONSE message counts
I:dnstap:checking RESOLVER_QUERY message counts
I:dnstap:checking RESOLVER_RESPONSE message counts
I:dnstap:checking dnstap-read hex output
I:dnstap:failed
I:dnstap:checking unix socket message counts
I:dnstap:checking UDP message counts
I:dnstap:checking TCP message counts
I:dnstap:checking AUTH_QUERY message counts
I:dnstap:checking AUTH_RESPONSE message counts
I:dnstap:checking CLIENT_QUERY message counts
I:dnstap:checking CLIENT_RESPONSE message counts
I:dnstap:checking RESOLVER_QUERY message counts
I:dnstap:checking RESOLVER_RESPONSE message counts
I:dnstap:checking reopened unix socket message counts
I:dnstap:checking UDP message counts
I:dnstap:checking TCP message counts
I:dnstap:checking AUTH_QUERY message counts
I:dnstap:checking AUTH_RESPONSE message counts
I:dnstap:checking CLIENT_QUERY message counts
I:dnstap:checking CLIENT_RESPONSE message counts
I:dnstap:checking RESOLVER_QUERY message counts
I:dnstap:checking RESOLVER_RESPONSE message counts
I:dnstap:exit status: 7
R:dnstap:FAIL
E:dnstap:Tue Jul 24 12:43:52 PDT 2018
```https://gitlab.isc.org/isc-projects/bind9/-/issues/491inline system test fails intermittently2018-08-24T07:55:15ZMichał Kępieńinline system test fails intermittentlyhttps://jenkins.isc.org/view/BIND/job/bind9-master-ubuntu1604-amd64/708/testReport/junit/bind/system/inline/
```
I:inline:check 'rndc signing -nsec3param' requests are queued for zones which are not loaded (49)
I:inline:failed
```
The ...https://jenkins.isc.org/view/BIND/job/bind9-master-ubuntu1604-amd64/708/testReport/junit/bind/system/inline/
```
I:inline:check 'rndc signing -nsec3param' requests are queued for zones which are not loaded (49)
I:inline:failed
```
The failing check was only added recently (see #468).Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/470Document how ixfr-from-differences affects inline-signed zones2018-08-24T08:35:30ZCathy AlmondDocument how ixfr-from-differences affects inline-signed zonesIn the light of issue https://gitlab.isc.org/isc-projects/bind9/issues/439 and friends, document how the global, view, zone and server named.conf configuration settings of ixfr-from-differences are applied (or not) to inline-signed zones...In the light of issue https://gitlab.isc.org/isc-projects/bind9/issues/439 and friends, document how the global, view, zone and server named.conf configuration settings of ixfr-from-differences are applied (or not) to inline-signed zones.
(This is potentially something for the ARM, where we have documented already how ixfr-from-differences works).Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/476OpenSSL error logging is broken2018-08-24T09:53:52ZMichał KępieńOpenSSL error logging is brokenUpon an OpenSSL failure, the first error in the OpenSSL error queue is never logged if `dst__openssl_toresult2()` or `dst__openssl_toresult3()` is used due to `toresult()` using `ERR_get_error()` rather than `ERR_peek_error()`.Upon an OpenSSL failure, the first error in the OpenSSL error queue is never logged if `dst__openssl_toresult2()` or `dst__openssl_toresult3()` is used due to `toresult()` using `ERR_get_error()` rather than `ERR_peek_error()`.Michał KępieńMichał Kępień