BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2024-03-05T23:09:16Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3709Resolver hashtables don't shrink2024-03-05T23:09:16ZOndřej SurýResolver hashtables don't shrinkAfter we refactored `dns_resolver` unit from "buckets" to common hashtable, the stored fetch contexts and counters are never deleted or the hashtables shrink leading to memory use by the resolver to only grow.After we refactored `dns_resolver` unit from "buckets" to common hashtable, the stored fetch contexts and counters are never deleted or the hashtables shrink leading to memory use by the resolver to only grow.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3708CID 430836: Dead code in lib/dns/cache.c2022-12-08T13:19:27ZMichal NowakCID 430836: Dead code in lib/dns/cache.cCoverity Scan claims dead code in `lib/dns/cache.c` after https://gitlab.isc.org/isc-projects/bind9/-/commit/fa275a59da0904c2ba4a473960087f6174c3ab7b#9c9f7adbbccac0f05147c2bb2344242f84185fe0_974_397:
```
*** CID 430836: Control flow is...Coverity Scan claims dead code in `lib/dns/cache.c` after https://gitlab.isc.org/isc-projects/bind9/-/commit/fa275a59da0904c2ba4a473960087f6174c3ab7b#9c9f7adbbccac0f05147c2bb2344242f84185fe0_974_397:
```
*** CID 430836: Control flow issues (DEADCODE)
/lib/dns/cache.c: 406 in dns_cache_flush()
400 UNLOCK(&cache->lock);
401
402 if (dbiterator != NULL) {
403 dns_dbiterator_destroy(&dbiterator);
404 }
405 if (olddbiterator != NULL) {
>>> CID 430836: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "dns_dbiterator_destroy(&old...".
406 dns_dbiterator_destroy(&olddbiterator);
407 }
408 dns_db_detach(&olddb);
409
410 return (ISC_R_SUCCESS);
411 }
```December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3707named-checkzone change of behaviour in 9.16.352022-12-21T02:37:50ZThib Dnamed-checkzone change of behaviour in 9.16.35### Summary
Hello,
Not sure this is a bug of feature change, but since it wasn't mentioned in the changelog I believe this was not expected:
named-checkzone text output has changed in 9.16.35 (haven't tested on other new branches).
I...### Summary
Hello,
Not sure this is a bug of feature change, but since it wasn't mentioned in the changelog I believe this was not expected:
named-checkzone text output has changed in 9.16.35 (haven't tested on other new branches).
I believe this comes from this commit : https://gitlab.isc.org/isc-projects/bind9/-/commit/80e66fbd2d8a6dc581387116288f5d5c5cbcb0f6
### BIND version used
9.16.35
### Steps to reproduce
Run named-checkzone on a valid zone.
### What is the current *bug* behavior?
With 9.16.35 :
```
named-checkzone example.com named.example.com
zone example.com/IN: loaded serial 2022113010
OK
zone example.com/IN: final reference detached
```
### What is the expected *correct* behavior?
With 9.16.34 :
```
named-checkzone example.com named.example.com
zone example.com/IN: loaded serial 2022113010
OK
```
Not sure this line is relevant when performing a checkzone, and I'm pretty sure there are a few systems that use named-checkzone are parsing the output when running checkzones.
Best regards,
ThibaudDecember 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)https://gitlab.isc.org/isc-projects/bind9/-/issues/3706Zone transfers are not properly compressed2022-12-02T12:13:17ZTony FinchZone transfers are not properly compressedAfter !6517 there was a regression in zone transfer performance: they were not being compressed as well as before.After !6517 there was a regression in zone transfer performance: they were not being compressed as well as before.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Tony FinchTony Finchhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3702man page dig(1): Typo in options2022-12-02T11:39:31ZFabian P. Schmidtman page dig(1): Typo in optionsIn https://gitlab.isc.org/isc-projects/bind9/-/commit/ac0c2378cac7039afb8c717ca9038b1f70681ff3 a typo was introduced in the man page of dig(1) ([line 868](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/man/dig.1in#L868)):
> >...In https://gitlab.isc.org/isc-projects/bind9/-/commit/ac0c2378cac7039afb8c717ca9038b1f70681ff3 a typo was introduced in the man page of dig(1) ([line 868](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/doc/man/dig.1in#L868)):
> > dig +qr www.isc.org any -x 127.0.0.1 isc.org ns **+noqr**
>
> shows how dig can be used from the command line to make three lookups: an ANY query for www.isc.org, a reverse lookup of 127.0.0.1, and a query for the NS records of isc.org. A global query option
> of +qr is applied, so that dig shows the initial query it made for each lookup. The final query has a local query option of **+qr** which means that dig does not print the initial query when it looks up
> the NS records for isc.org.
The second location emphasized in bold should link to `+noqr`.
## Solution
Patch attached:
[0001-Fix-noqr-option-typo-in-dig-1-man-page.patch](/uploads/91fe65e154371b415875914efb70ec96/0001-Fix-noqr-option-typo-in-dig-1-man-page.patch)
If you would like to see this patch submitted directly as a merge request, I'd kindly request the permission to create my fork of the repo on the ISC gitlab server.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)https://gitlab.isc.org/isc-projects/bind9/-/issues/3701[question] dig command support +subnet2022-11-25T16:58:30ZSelboo[question] dig command support +subnet### Description
```
25-Nov-2022 23:30:32.924 running on Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020
25-Nov-2022 23:30:32.924 built with '--prefix=/usr/local/bind-9.18.9' '--enable-largefile' '--enable-epoll'...### Description
```
25-Nov-2022 23:30:32.924 running on Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020
25-Nov-2022 23:30:32.924 built with '--prefix=/usr/local/bind-9.18.9' '--enable-largefile' '--enable-epoll' '--enable-full-report' '--disable-doh' '--enable-dnsrps-dl' '--enable-dnsrps'
25-Nov-2022 23:30:32.924 running as: named -c named.conf -fg
25-Nov-2022 23:30:32.924 compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
25-Nov-2022 23:30:32.924 compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
25-Nov-2022 23:30:32.924 linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
25-Nov-2022 23:30:32.924 compiled with zlib version: 1.2.7
25-Nov-2022 23:30:32.924 linked to zlib version: 1.2.7
25-Nov-2022 23:30:32.924 ----------------------------------------------------
25-Nov-2022 23:30:32.924 BIND 9 is maintained by Internet Systems Consortium,
25-Nov-2022 23:30:32.924 Inc. (ISC), a non-profit 501(c)(3) public-benefit
25-Nov-2022 23:30:32.924 corporation. Support and training for BIND 9 are
25-Nov-2022 23:30:32.924 available at https://www.isc.org/support
```
```
# cat named.conf
... ...
... ...
options {
listen-on port 353 { any; };
listen-on-v6 port 353 { any; };
directory "/root/edns/named";
allow-query {
any;
};
allow-recursion {
any;
};
empty-zones-enable no;
pid-file "/root/edns/named/run/named.pid";
};
view "aaa" {
match-clients {
10.105.0.0/16;
};
zone "abc.com" {
type master;
file "aaa/abc.com";
};
};
view "bbb" {
match-clients {
10.106.0.0/26;
};
zone "abc.com" {
type master;
file "bbb/abc.com";
};
};
view "idc-default" {
match-clients {
any;
};
zone "abc.com" {
type master;
file "any/abc.com";
};
};
# cat named/aaa/abc.com
... ...
www 600 IN TXT aaa
# cat named/bbb/abc.com
www 600 IN TXT bbb
# cat named/ccc/abc.com
www 600 IN TXT ccc
```
dig
```
# dig @127.0.0.1 -p 353 txt.abc.com txt +subnet=10.105.2.2
; <<>> DiG 9.18.9 <<>> @127.0.0.1 -p 353 txt.abc.com txt +subnet=10.105.2.2
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7948
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 075abe1b7a9c177a010000006380ded9dc3ca0fc1bae43d4 (good)
; CLIENT-SUBNET: 10.105.2.2/32/0
;; QUESTION SECTION:
;txt.abc.com. IN TXT
;; ANSWER SECTION:
txt.abc.com. 600 IN TXT "any"
;; Query time: 1 msec
;; SERVER: 127.0.0.1#353(127.0.0.1) (UDP)
;; WHEN: Fri Nov 25 23:27:21 CST 2022
;; MSG SIZE rcvd: 99
```
### Request
I expect +subnet=10.105.2.2, return **aaa**, but returned any
```
# dig @127.0.0.1 -p 353 txt.abc.com txt +subnet=10.105.2.2
any
```
I expect +subnet=10.106.3.3, return **bbb**, but returned any
```
# dig @127.0.0.1 -p 353 txt.abc.com txt +subnet=10.106.3.3
any
```
How do I change named.conf?
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3700consider deprecating "dialup" option2023-08-04T09:42:20ZPetr Špačekpspacek@isc.orgconsider deprecating "dialup" optionIt is unclear if [dialup](https://bind9.readthedocs.io/en/v9_19_7/reference.html#namedconf-statement-dialup) statement is useful in practice, and at the same time it adds fair amount of logic to zone refresh/notify handling.
Consider th...It is unclear if [dialup](https://bind9.readthedocs.io/en/v9_19_7/reference.html#namedconf-statement-dialup) statement is useful in practice, and at the same time it adds fair amount of logic to zone refresh/notify handling.
Consider the fun of finding out how following flags interact:
`lib/dns/zone.c`:
```c
19964 void
19965 dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
19966 REQUIRE(DNS_ZONE_VALID(zone));
19967
19968 LOCK_ZONE(zone);
19969 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
19970 DNS_ZONEFLG_DIALREFRESH |
19971 DNS_ZONEFLG_NOREFRESH);
19972 switch (dialup) {
19973 case dns_dialuptype_no:
19974 break;
19975 case dns_dialuptype_yes:
19976 DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
19977 DNS_ZONEFLG_DIALREFRESH |
19978 DNS_ZONEFLG_NOREFRESH));
19979 break;
19980 case dns_dialuptype_notify:
19981 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19982 break;
19983 case dns_dialuptype_notifypassive:
19984 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19985 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19986 break;
19987 case dns_dialuptype_refresh:
19988 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
19989 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19990 break;
19991 case dns_dialuptype_passive:
19992 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19993 break;
19994 default:
19995 UNREACHABLE();
19996 }
19997 UNLOCK_ZONE(zone);
19998 }
```August 2023 (9.16.43, 9.16.43-S1, 9.18.18, 9.18.18-S1, 9.19.16)https://gitlab.isc.org/isc-projects/bind9/-/issues/3697Reject zones with DS records not at delegations2022-12-08T12:56:43ZMark AndrewsReject zones with DS records not at delegationsDS records only make sense at delegations. DS records elsewhere in the zone will invariably there in error.
See #3621DS records only make sense at delegations. DS records elsewhere in the zone will invariably there in error.
See #3621December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)https://gitlab.isc.org/isc-projects/bind9/-/issues/3696Calling isc_nm_read_stop() doesn't stop readcbs already in progress2022-12-02T11:33:13ZOndřej SurýCalling isc_nm_read_stop() doesn't stop readcbs already in progressWhen `isc_nm_read_stop()` is called, it doesn't stop the read callbacks already scheduled on the worker->loop.
This breaks the "promise" as the parent may have already destroyed the object (etc...).
This needs to be fixed before 9.20...When `isc_nm_read_stop()` is called, it doesn't stop the read callbacks already scheduled on the worker->loop.
This breaks the "promise" as the parent may have already destroyed the object (etc...).
This needs to be fixed before 9.20...December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3694Deprecate setting alternate transfer source2022-12-02T12:56:00ZMatthijs Mekkingmatthijs@isc.orgDeprecate setting alternate transfer sourceThis was an undocumented BIND 8 feature that was ported to BIND 9 in the early days. But there is no good use case for it.
See #3714 for the corresponding option removal issue.This was an undocumented BIND 8 feature that was ported to BIND 9 in the early days. But there is no good use case for it.
See #3714 for the corresponding option removal issue.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3693crash when restarting server with active statschannel connection2022-12-02T11:34:37ZOndřej Surýcrash when restarting server with active statschannel connection### Summary
### BIND version used
- ~"Affects v9.19" : 9128e540f096c915846037c4db41824692513abf
- ~"Affects v9.18" : v9_18_9 is also affected
### Steps to reproduce
1. Start named
2. $ telnet ::1 8080
3. SIGINT the server
4. Enjoy fi...### Summary
### BIND version used
- ~"Affects v9.19" : 9128e540f096c915846037c4db41824692513abf
- ~"Affects v9.18" : v9_18_9 is also affected
### Steps to reproduce
1. Start named
2. $ telnet ::1 8080
3. SIGINT the server
4. Enjoy fireworks
### What is the current *bug* behavior?
Crash on assertion:
```
httpd.c:902: REQUIRE(httpd->readhandle == handle) failed, back trace
```
### What is the expected *correct* behavior?
Does not crash.
### Relevant configuration files
```
statistics-channels {
inet ::1 port 8080;
};
```December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3692[Feature request] DNST & TLSADOT RRTYPES2022-11-23T11:11:36ZHLFH[Feature request] DNST & TLSADOT RRTYPES### Description
The original DNS over TLS (RFC7858) and DNS over HTTPS (RFC8484) specifications were limited to client-to-resolver traffic. The remaining privacy component is recursive-to-authoritative servers. This [Internet Draft](htt...### Description
The original DNS over TLS (RFC7858) and DNS over HTTPS (RFC8484) specifications were limited to client-to-resolver traffic. The remaining privacy component is recursive-to-authoritative servers. This [Internet Draft](https://datatracker.ietf.org/doc/html/draft-dickson-dprive-adot-auth-06) is designed to provide a solution to this problem.
### Request
Therefore, it would be great to support the DNST & TLSADOT RRTYPES.
### Links / references
[Internet Draft](https://datatracker.ietf.org/doc/html/draft-dickson-dprive-adot-auth-06)https://gitlab.isc.org/isc-projects/bind9/-/issues/3690Provide Copr builds for EPEL92022-12-13T17:47:04ZDerEnderKeksProvide Copr builds for EPEL9### Description
I'd like to be able to use the Copr repo of bind on RHEL9 based systems, but currently only EPEL7 and 8 are available. Providing EPEL9 builds would allow that.
### Request
Please provide EPEL9 Copr builds.
### Links /...### Description
I'd like to be able to use the Copr repo of bind on RHEL9 based systems, but currently only EPEL7 and 8 are available. Providing EPEL9 builds would allow that.
### Request
Please provide EPEL9 Copr builds.
### Links / references
https://copr.fedorainfracloud.org/coprs/isc/bind/December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3686Remove dynamic update DNSSEC management2023-07-18T13:39:29ZMatthijs Mekkingmatthijs@isc.orgRemove dynamic update DNSSEC managementIn Porto we discussed DNSSEC multi-signer models. One of the issues is that DNSSEC related dynamic updates triggers key management operations because in the multi-signer model we have to deal with DNSKEY records that are not under our co...In Porto we discussed DNSSEC multi-signer models. One of the issues is that DNSSEC related dynamic updates triggers key management operations because in the multi-signer model we have to deal with DNSKEY records that are not under our control. Therefor, trying to activate them leads to bug corner cases and inappropriate log messages.
We decided those are no longer needed because DNSSEC management needs to be done via `dnssec-policy`. Thus when adding or removing a `DNSKEY` via dynamic update, we do still change the publication, but we no longer walk through the set of keys to mark them active or inactive.
Also deprecate the feature of NSEC3 re-chaining triggered by dynamic update.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3684[question] the import function doesnt want to import even though its valid2022-11-25T16:58:38ZJohn[question] the import function doesnt want to import even though its valid### Summary
I was following the [nixos wiki guide for acme validation with bind](https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx) but i have a problem where bind doesnt want to read the parsed keyfile even tho...### Summary
I was following the [nixos wiki guide for acme validation with bind](https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx) but i have a problem where bind doesnt want to read the parsed keyfile even though it has access `-r-------- 1 named root 121 Nov 17 19:45 /var/lib/secrets/dnskeys.conf` its a valid file, it even works when i manually add the file where it should be.
### BIND version used
`BIND 9.18.8 (Stable Release) <id:35f5d35>
running on Linux x86_64 5.15.75 #1-NixOS SMP Wed Oct 26 10:35:57 UTC 2022
compiled by GCC 11.3.0
compiled with OpenSSL version: OpenSSL 3.0.5 5 Jul 2022
linked to OpenSSL version: OpenSSL 3.0.5 5 Jul 2022
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.49.0
linked to libnghttp2 version: 1.49.0
compiled with libxml2 version: 2.10.2
linked to libxml2 version: 21002
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.12
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/named.conf
rndc configuration: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/rndc.conf
DNSSEC root key: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
`
### Steps to reproduce
Import the Nixos files and run it
[nixos.zip](/uploads/a2ace3dec015ea1a6cf0eedb53cced0f/nixos.zip)
### What is the current *bug* behavior?
launch fails
### What is the expected *correct* behavior?
it should import the file and launch as it does if i do it manually
### Relevant logs and/or screenshots
`named-checkconf -px
open: /nix/store/66l82s71swz2x5pf0g2hk9mwsfipq2lk-bind-9.18.8/etc/named.conf: file not found
`
`Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: Starting BIND Domain Name Server...
Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: Started BIND Domain Name Server.
Nov 17 20:01:02 scw-heuristic-jennings named[844]: starting BIND 9.18.8 (Stable Release) <id:35f5d35>
Nov 17 20:01:02 scw-heuristic-jennings named[844]: running on Linux x86_64 5.15.75 #1-NixOS SMP Wed Oct 26 10:35:57 UTC 2022
Nov 17 20:01:02 scw-heuristic-jennings named[844]: running as: named -u named -c /nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf -f
Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled by GCC 11.3.0
Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with OpenSSL version: OpenSSL 3.0.5 5 Jul 2022
Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to OpenSSL version: OpenSSL 3.0.5 5 Jul 2022
Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with libxml2 version: 2.10.2
Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to libxml2 version: 21002
Nov 17 20:01:02 scw-heuristic-jennings named[844]: compiled with zlib version: 1.2.12
Nov 17 20:01:02 scw-heuristic-jennings named[844]: linked to zlib version: 1.2.12
Nov 17 20:01:02 scw-heuristic-jennings named[844]: ----------------------------------------------------
Nov 17 20:01:02 scw-heuristic-jennings named[844]: BIND 9 is maintained by Internet Systems Consortium,
Nov 17 20:01:02 scw-heuristic-jennings named[844]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Nov 17 20:01:02 scw-heuristic-jennings named[844]: corporation. Support and training for BIND 9 are
Nov 17 20:01:02 scw-heuristic-jennings named[844]: available at https://www.isc.org/support
Nov 17 20:01:02 scw-heuristic-jennings named[844]: ----------------------------------------------------
Nov 17 20:01:02 scw-heuristic-jennings named[844]: adjusted limit on open files from 524288 to 1048576
Nov 17 20:01:02 scw-heuristic-jennings named[844]: found 4 CPUs, using 4 worker threads
Nov 17 20:01:02 scw-heuristic-jennings named[844]: using 4 UDP listeners per interface
Nov 17 20:01:02 scw-heuristic-jennings named[844]: DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
Nov 17 20:01:02 scw-heuristic-jennings named[844]: DS algorithms: SHA-1 SHA-256 SHA-384
Nov 17 20:01:02 scw-heuristic-jennings named[844]: HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
Nov 17 20:01:02 scw-heuristic-jennings named[844]: TKEY mode 2 support (Diffie-Hellman): yes
Nov 17 20:01:02 scw-heuristic-jennings named[844]: TKEY mode 3 support (GSS-API): yes
Nov 17 20:01:02 scw-heuristic-jennings named[844]: config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future
Nov 17 20:01:02 scw-heuristic-jennings named[844]: loading configuration from '/nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf'
Nov 17 20:01:02 scw-heuristic-jennings named[844]: /nix/store/p6ls6426lznn059jdf58rd7kb4kbbigi-named.conf:21: parsing failed: file not found
Nov 17 20:01:02 scw-heuristic-jennings named[844]: loading configuration: file not found
Nov 17 20:01:02 scw-heuristic-jennings named[844]: exiting (due to fatal error)
Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: bind.service: Main process exited, code=exited, status=1/FAILURE
Nov 17 20:01:02 scw-heuristic-jennings systemd[1]: bind.service: Failed with result 'exit-code'.
`
`include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
};
acl cachenetworks { 127.0.0.0/24; };
acl badnetworks { };
options {
listen-on { any; };
listen-on-v6 { any; };
allow-query { cachenetworks; };
blackhole { badnetworks; };
forward first;
forwarders { 1.1.1.1; 8.8.8.8; };
directory "/run/named";
pid-file "/run/named/named.pid";
};
include "/var/lib/secrets/dnskeys.conf";
zone "bruno-neumann.com" {
type master;
file "/nix/store/g06fd0shizzn6mc5zdzcwwc7rxzxzam6-bruno-neumann.com.zone";
allow-transfer {
};
allow-query { any; };
allow-update { key rfc2136key.bruno-neumann.com.; };
};`
[nixos.zip](/uploads/a2ace3dec015ea1a6cf0eedb53cced0f/nixos.zip)https://gitlab.isc.org/isc-projects/bind9/-/issues/3683use after free in catalog zone processing2022-12-07T01:56:15ZMark Andrewsuse after free in catalog zone processingI was in the process of adding tls restricted transfers to the catz system
test and hadn't properly modified everything (see attached diff) and ns2
dropped core from what looks like a use after free error.
The end of ns2/named.run:
```
...I was in the process of adding tls restricted transfers to the catz system
test and hadn't properly modified everything (see attached diff) and ns2
dropped core from what looks like a use after free error.
The end of ns2/named.run:
```
17-Nov-2022 19:11:31.886 received message from 10.53.0.1#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25047
;; flags: qr aa; QUESTION: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;catalog1.example. IN IXFR
;; ANSWER SECTION:
catalog1.example. 3600 IN SOA . . 64 86400 3600 86400 3600
catalog1.example. 3600 IN SOA . . 63 86400 3600 86400 3600
catalog1.example. 3600 IN SOA . . 64 86400 3600 86400 3600
1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog1.example. 3600 IN PTR tls1.example.
catalog1.example. 3600 IN SOA . . 64 86400 3600 86400 3600
17-Nov-2022 19:11:31.886 transfer of 'catalog1.example/IN/default' from 10.53.0.1#5300: got incremental response
17-Nov-2022 19:11:31.886 writing to journal
17-Nov-2022 19:11:31.886 del catalog1.example. 3600 IN SOA . . 63 86400 3600 86400 3600
17-Nov-2022 19:11:31.886 add catalog1.example. 3600 IN SOA . . 64 86400 3600 86400 3600
17-Nov-2022 19:11:31.886 add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog1.example. 3600 IN PTR tls1.example.
17-Nov-2022 19:11:31.886 dns_zone_verifydb: zone catalog1.example/IN/default: enter
17-Nov-2022 19:11:31.886 catz.c:2041:dns_catz_dbupdate_callback(): fatal error:
17-Nov-2022 19:11:31.886 pthread_mutex_lock(): Invalid argument (22)
17-Nov-2022 19:11:31.886 exiting (due to fatal error in library)
```
```
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x000000019869ce28 __pthread_kill + 8
1 libsystem_pthread.dylib 0x00000001986cf43c pthread_kill + 292
2 libsystem_c.dylib 0x0000000198617454 abort + 124
3 named 0x000000010446a42c library_fatal_error + 356 (main.c:278)
4 libisc-9.19.8-dev.dylib 0x00000001049cec7c isc_error_fatal + 72 (error.c:70)
5 libdns-9.19.8-dev.dylib 0x0000000104535c6c dns_catz_dbupdate_callback + 312 (catz.c:2041)
6 libdns-9.19.8-dev.dylib 0x000000010453a37c dns_db_closeversion + 264 (db.c:412)
7 libdns-9.19.8-dev.dylib 0x00000001046b514c ixfr_commit + 164 (xfrin.c:478)
8 libdns-9.19.8-dev.dylib 0x00000001046b4b54 xfr_rr + 1444 (xfrin.c:631)
9 libdns-9.19.8-dev.dylib 0x00000001046b3f54 xfrin_recv_done + 2544 (xfrin.c:1412)
10 libisc-9.19.8-dev.dylib 0x00000001049b4420 isc__nm_async_readcb + 408 (netmgr.c:2253)
11 libisc-9.19.8-dev.dylib 0x00000001049b2180 isc__nm_readcb + 332 (netmgr.c:2226)
12 libisc-9.19.8-dev.dylib 0x00000001049bd040 isc__nm_tcpdns_processbuffer + 636 (tcpdns.c:851)
13 libisc-9.19.8-dev.dylib 0x00000001049b2da8 processbuffer + 60 (netmgr.c:1722)
14 libisc-9.19.8-dev.dylib 0x00000001049b2c6c isc__nm_process_sock_buffer + 52 (netmgr.c:1743)
15 libisc-9.19.8-dev.dylib 0x00000001049bd340 isc__nm_tcpdns_read_cb + 604 (tcpdns.c:914)
16 libuv.1.dylib 0x00000001056de570 uv__stream_io + 1020
17 libuv.1.dylib 0x00000001056e57c0 uv__io_poll + 1744
18 libuv.1.dylib 0x00000001056d5d00 uv_run + 252
19 libisc-9.19.8-dev.dylib 0x00000001049e5504 loop_run + 460 (loop.c:270)
20 libisc-9.19.8-dev.dylib 0x00000001049e3c08 loop_thread + 44 (loop.c:297)
21 libisc-9.19.8-dev.dylib 0x00000001049e3ac0 isc_loopmgr_run + 456 (loop.c:477)
22 named 0x0000000104469fc4 main + 424 (main.c:1545)
23 libdyld.dylib 0x00000001986ed430 start + 4
```
[diff](/uploads/eaa1cbd5b7f3ab504554a35d53217359/diff)December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3682Multiple tests fail2022-11-21T10:35:56ZJean-Christophe ManciotMultiple tests fail### Summary
- Multiple tests fail during the build.
- Some failures (but not all) are linked to the fact that "PKCS#7 support in pyOpenSSL is deprecated. You should use the APIs ". These failures do not appear when using python3-openss...### Summary
- Multiple tests fail during the build.
- Some failures (but not all) are linked to the fact that "PKCS#7 support in pyOpenSSL is deprecated. You should use the APIs ". These failures do not appear when using python3-openssl 21.0.0-1 instead of pyOpenSSL 22.1.0.
- Also, softhsm2-util is available despite some error messages in the log (do you modify PATH variable?) .
### Environment
- Ubuntu 22.10 kinetic
- Python 3.10.8 (apt)
- pytest-7.2.0 (pip3)
- softhsm2 2.6.1-2ubuntu1 (apt)
- openssl 3.0.7-1 (apt)
- pyOpenSSL 22.1.0 (pip3) --> build 1
- python3-openssl 21.0.0-1 (apt) --> build 2
### BIND version used
v9_19_6
### Steps to reproduce
```
git checkout v9_19_6
export CFLAGS+=-Wno-error
export NOCONFIGURE=yes
autoreconf -f -i
./configure \
--build=x86_64-pc-linux-gnu \
--prefix=/usr --sysconfdir=/etc/bind --localstatedir=/ \
--datarootdir=/usr/share --docdir=/usr/share/doc --mandir=/usr/share/man \
--disable-querytrace \
--enable-auto-validation \
--enable-dnstap \
--enable-fixed-rrset \
--enable-full-report \
--enable-geoip \
--enable-largefile \
--enable-linux-caps \
--enable-shared=yes \
--with-cmocka=yes \
--with-gnu-ld=yes \
--with-gssapi=/usr/bin/krb5-config \
--with-jemalloc=detect \
--with-json-c=yes \
--with-libidn2 \
--with-libxml2=yes \
--with-lmdb=auto \
--with-maxminddb=yes \
--with-openssl=/usr/lib/x86_64-linux-gnu \
--with-tuning=large \
--with-zlib=yes
make all
make doc html pdf
pip3 install -I pytest
bin/tests/system/ifconfig.sh up
make check
```
1. with latest pyOpenSSL, leads to:
```
...
PASS: names
FAIL: notify
PASS: nsec3
PASS: nslookup
PASS: padding
PASS: pending
PASS: redirect
PASS: rndc
PASS: rootkeysentinel
PASS: rpz
PASS: rrchecker
PASS: rrl
PASS: rrsetorder
PASS: rsabigexponent
PASS: runtime
PASS: sfcache
PASS: smartsign
PASS: sortlist
PASS: spf
PASS: staticstub
PASS: stub
PASS: synthfromdnssec
PASS: tkey
PASS: tools
PASS: transport-acl
PASS: tsig
PASS: tsiggss
PASS: ttl
PASS: unknown
PASS: verify
PASS: views
FAIL: wildcard
PASS: xferquota
PASS: zonechecks
PASS: nzd2nzf
PASS: fetchlimit
PASS: ixfr
PASS: nsupdate
PASS: resolver
PASS: statistics
PASS: upforwd
PASS: zero
FAIL: dnstap
FAIL: statschannel
PASS: xfer
PASS: reclimit
PASS: kasp
PASS: keymgr2kasp
FAIL: tcp
PASS: pipelined
FAIL: checkds
FAIL: dispatch
FAIL: rpzextra
FAIL: shutdown
FAIL: timeouts
PASS: qmin
FAIL: cookie
PASS: digdelv
PASS: dnssec
PASS: forward
PASS: chain
============================================================================
Testsuite summary for BIND 9.19.6
============================================================================
# TOTAL: 109
# PASS: 96
# SKIP: 2
# XFAIL: 0
# FAIL: 11
# XPASS: 0
# ERROR: 0
```
2. with latest python3-openssl, leads to:
```
PASS: names
FAIL: notify
PASS: nsec3
PASS: nslookup
PASS: padding
PASS: pending
PASS: redirect
PASS: rndc
PASS: rootkeysentinel
PASS: rpz
PASS: rrchecker
PASS: rrl
PASS: rrsetorder
PASS: rsabigexponent
PASS: runtime
PASS: sfcache
PASS: smartsign
PASS: sortlist
PASS: spf
PASS: staticstub
PASS: stub
PASS: synthfromdnssec
PASS: tkey
PASS: tools
PASS: transport-acl
PASS: tsig
PASS: tsiggss
PASS: ttl
PASS: unknown
PASS: verify
PASS: views
PASS: wildcard
PASS: xferquota
PASS: zonechecks
PASS: nzd2nzf
PASS: fetchlimit
PASS: ixfr
PASS: nsupdate
PASS: resolver
PASS: statistics
PASS: upforwd
PASS: zero
PASS: dnstap
PASS: statschannel
PASS: xfer
PASS: reclimit
PASS: kasp
PASS: keymgr2kasp
PASS: tcp
PASS: pipelined
PASS: checkds
PASS: dispatch
PASS: rpzextra
PASS: shutdown
PASS: timeouts
PASS: qmin
FAIL: cookie
PASS: digdelv
PASS: dnssec
PASS: forward
PASS: chain
============================================================================
Testsuite summary for BIND 9.19.6
============================================================================
# TOTAL: 109
# PASS: 105
# SKIP: 2
# XFAIL: 0
# FAIL: 2
# XPASS: 0
# ERROR: 0
```
### Relevant logs and/or screenshots
bin/tests/system/test-suite.log is attached as:
- [test-suite-with-pyOpenSSL.log](https://drive.google.com/file/d/16d0XdEFCG-hT3PGuMtVr3RfnCJmnCpJm/view?usp=share_link) when pyOpenSSL 22.1.0 (pip3) is used
- [test-suite-with-python3-openssl.log](https://drive.google.com/file/d/1VvTaDnZh9TK0FuxwgUqz0xX3ipUY9vnY/view?usp=share_link) when python3-openssl 21.0.0-1 (apt) is used
The complete build logs are available on demand.https://gitlab.isc.org/isc-projects/bind9/-/issues/3680remove unused "nupdates" tracking from update code2022-12-02T11:27:14ZPetr Špačekpspacek@isc.orgremove unused "nupdates" tracking from update codeThe following [discussion](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/442#note_328426) from isc-private/bind9!442 should be addressed:
@pspacek
> I have another curious question - what is purpose of `client->nupdates`? J...The following [discussion](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/442#note_328426) from isc-private/bind9!442 should be addressed:
@pspacek
> I have another curious question - what is purpose of `client->nupdates`? Judging by `INSIST`s I can see it can be either 0 or 1. Is it a cross-callback assert of sorts? Or does it have some other purpose as well?
@each
> It dates to commit c426fddf in 2004. It was originally a way of keeping track of whether the client was ready to shut down, alongside similar counters nreads, nrecvs, naccepts and nsends.
>We keep track of that differently now, and the counter could go away, but Witold and I overlooked it when we cleaned up its brethren in 2020. You've got a good eye.
> IMHO it's out of scope for this MR, but we can address it elsewhere.
@pspacek
> Agreed, that one is out of scope.
(for this MR)December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)https://gitlab.isc.org/isc-projects/bind9/-/issues/3678stale-serve and RPZ put in SERVFAIL cache unexpected record2023-05-30T13:33:10ZMaksym Odinintsevstale-serve and RPZ put in SERVFAIL cache unexpected record### Summary
When I enable serve-stale, and disable access to external upstream servers (recursion), I see unexpected records in SERVFAIL cache. I see SERVFAIL record for records what should be rewritten with RPZ trigger instead of reque...### Summary
When I enable serve-stale, and disable access to external upstream servers (recursion), I see unexpected records in SERVFAIL cache. I see SERVFAIL record for records what should be rewritten with RPZ trigger instead of requested record.
### BIND version used
```
BIND 9.18.1-1ubuntu1.2-Ubuntu (Stable Release) <id:>
running on Linux x86_64 5.15.0-1022-aws #26-Ubuntu SMP Thu Oct 13 12:59:25 UTC 2022
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-2lYtkE/bind9-9.18.1=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 11.2.0
compiled with OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
linked to OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Configure a minimal BIND 9 recursive resolver with a response policy zone, and then attempt to resolve `321.test.myctl.com.`:
`dig 321.test.myctl.com A @127.0.0.1`
filter upstreams via iptables (for example), and attempt to resolve it again, you will receive SERVFAIL:
```
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> 321.test.myctl.com A @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20981
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8f82c8b75e5cd86b0100000063725d504d726ced8e1e2034 (good)
;; QUESTION SECTION:
;321.test.myctl.com. IN A
;; Query time: 4999 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Nov 14 15:22:56 UTC 2022
;; MSG SIZE rcvd: 75
```
dump named db via `rndc dumpdb` and look for SERVFAIL cache:
```
; SERVFAIL cache
;
; test.myctl.com/A [ttl 968]
```
In named.log we can see:
```
resolver: debug 1: fetch: 321.test.myctl.com/A
resolver: debug 1: fetch: 321.test.myctl.com/A
serve-stale: info: 321.test.myctl.com resolver failure, stale answer used
serve-stale: info: test.myctl.com resolver failure, stale answer unavailable
query-errors: info: client @0x7feb441e9f48 127.0.0.1#44401 (321.test.myctl.com): query failed (SERVFAIL) for 321.test.myctl.com/IN/A at query.c:5925
serve-stale: info: 321.test.myctl.com resolver failure, stale answer used
serve-stale: info: test.myctl.com resolver failure, stale answer unavailable
query-errors: info: client @0x7feb44209ef8 127.0.0.1#48831 (321.test.myctl.com): query failed (SERVFAIL) for 321.test.myctl.com/IN/A at query.c:5925
general: info: received control channel command 'dumpdb'
general: info: dumpdb started
```
Ask the same query second time, anew can see how it was resolved successfully:
```
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> 321.test.myctl.com A @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31429
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bdf9d11efa69889d0100000063725d5303f554388f84744c (good)
;; QUESTION SECTION:
;321.test.myctl.com. IN A
;; ANSWER SECTION:
321.test.myctl.com. 30 IN CNAME test.myctl.com.
test.myctl.com. 293 IN CNAME test-cname-a.myctl.com.
test-cname-a.myctl.com. 30 IN A 127.0.0.1
;; ADDITIONAL SECTION:
test.rpz.local. 1 IN SOA localhost. root.localhost. 1 604800 86400 2419200 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Nov 14 15:22:59 UTC 2022
;; MSG SIZE rcvd: 205
```
In named.log file we can see that:
```
serve-stale: info: 321.test.myctl.com query within stale refresh time, stale answer used
rpz: info: client @0x7feb441e9f48 127.0.0.1#43954 (321.test.myctl.com): rpz QNAME Local-Data rewrite test.myctl.com/A/IN via test.myctl.com.test.rpz.local
resolver: debug 1: fetch: test-cname-a.myctl.com/A
serve-stale: info: 321.test.myctl.com query within stale refresh time, stale answer used
rpz: info: client @0x7feb44209ef8 127.0.0.1#59298 (321.test.myctl.com): rpz QNAME Local-Data rewrite test.myctl.com/A/IN via test.myctl.com.test.rpz.local
resolver: debug 1: fetch: test-cname-a.myctl.com/A
serve-stale: info: test-cname-a.myctl.com resolver failure, stale answer used
serve-stale: info: test-cname-a.myctl.com resolver failure, stale answer used
```
If we disable serve-stale in config then we see only asked queries in SERVFAIL cache:
```
; SERVFAIL cache
;
; 321.test.myctl.com/A [ttl 976]
```
### What is the current *bug* behavior?
`test.myctl.com` existence in the SERVFAIL cache is unexpected. If load it pretty high to subdomains with RPZ and CNAMEs, this record will be presented almost always in SERVFAIL cache, and any queries to `test.myctl.com` will fail.
### What is the expected *correct* behavior?
I'd expect SERVFAILS only for exact requested queries, instead of something in between, or even answer with stale-data.
### Relevant configuration files
```
logging {
channel "standard_var_log" {
file "/var/log/named/named.log" versions 3 size 104857600;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_var_log" {
file "/var/log/named/querylog" versions 200 size 262144000;
print-time yes;
};
category "default" {
"standard_var_log";
};
category "lame-servers" {
"null";
};
category "queries" {
"query_var_log";
};
};
options {
directory "/var/cache/bind";
listen-on-v6 {
"any";
};
dnssec-validation no;
response-policy {
zone "test.rpz.local" max-policy-ttl 86400;
} break-dnssec yes qname-wait-recurse no;
stale-answer-enable yes;
stale-answer-client-timeout off;
stale-cache-enable yes;
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "test.rpz.local" in {
type master;
file "/etc/bind/db.rpz.local";
allow-query {
"localhost";
};
allow-transfer {
"localhost";
};
forwarders {
};
};
zone "myctl.com" in {
type master;
file "/etc/bind/myctl.com.local";
allow-query {
"localhost";
};
allow-transfer {
"localhost";
};
forwarders {
};
};
```
```
# cat myctl.com.local
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$ORIGIN .
$TTL 86400
myctl.com IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
IN NS ns-canada.topdns.com.
IN NS ns-usa.topdns.com.
IN NS ns-uk.topdns.com.
$ORIGIN myctl.com
test-cname-a NS ns-canada.topdns.com.
NS ns-usa.topdns.com.
NS ns-uk.topdns.com.
test NS ns-canada.topdns.com.
NS ns-usa.topdns.com.
NS ns-uk.topdns.com.
$ORIGIN test.myctl.com
$TTL 300
* CNAME test.myctl.com.
```
```
# cat db.rpz.local
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 900
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
IN NS localhost.
$TTL 293
test.myctl.com CNAME test-cname-a.myctl.com.
```January 2023 (9.16.37, 9.16.37-S1, 9.18.11, 9.18.11-S1, 9.19.9)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3677Add inline-signing to dnssec-policy2023-08-02T08:22:51ZMatthijs Mekkingmatthijs@isc.orgAdd inline-signing to dnssec-policyOn the one hand I don't think "inline-signing" is really a *key and signing* policy option, so it feels misplaced.
On the other hand it is kind of cumbersome to include "inline-signing yes;" in all of your zones that use/inherit dnssec-...On the one hand I don't think "inline-signing" is really a *key and signing* policy option, so it feels misplaced.
On the other hand it is kind of cumbersome to include "inline-signing yes;" in all of your zones that use/inherit dnssec-policy.
I do believe the latter argument is a stronger one the "it feels wrong" argument though, so I am leaning more towards of adding an "inline-signing" option inside "dnssec-policy".August 2023 (9.16.43, 9.16.43-S1, 9.18.18, 9.18.18-S1, 9.19.16)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.org