"rndc status" closed with ISC_R_DUPLICATE (#1504) · Issues · ISC Open Source Projects / BIND

"rndc status" closed with ISC_R_DUPLICATE

An interesting dnssec system test failure happened on Windows for 9.11.14:

https://gitlab.isc.org/isc-private/bind9/-/jobs/473919

...
I:dnssec:check that 'rndc signing' without arguments is handled (155)
I:dnssec:check that 'rndc signing -list' without zone is handled (156)
I:dnssec:check that 'rndc signing -clear' without additional arguments is handled (157)
I:dnssec:check that 'rndc signing -clear all' without zone is handled (158)
I:dnssec:check that 'rndc signing -nsec3param' without additional arguments is handled (159)
I:dnssec:check that 'rndc signing -nsec3param none' without zone is handled (160)
I:dnssec:check that 'rndc signing -nsec3param 1' without additional arguments is handled (161)
I:dnssec:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled (162)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled (163)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled (164)
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.
I:dnssec:failed
I:dnssec:check that 'rndc signing -nsec3param' works with salt (165)
I:dnssec:check that 'rndc signing -nsec3param' works without salt (166)
I:dnssec:check that 'rndc signing -nsec3param' works with 'auto' as salt (167)
I:dnssec:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt (168)
...

It seems to me that a TCP connection opened by an rndc status command was immediately torn down with the following log message:

12-Dec-2019 0:07:33.960 invalid command from 10.53.0.3#54441: duplicate

Apparently this log message is produced by one of the log_invalid() calls in bin/named/controlconf.c:control_recvmessage(), but I was unable to quickly determine which one it may be. Any ideas? This seems to happen rather rarely.

An interesting `dnssec` system test failure happened on Windows for 9.11.14:

- https://gitlab.isc.org/isc-private/bind9/-/jobs/473919

```
...
I:dnssec:check that 'rndc signing' without arguments is handled (155)
I:dnssec:check that 'rndc signing -list' without zone is handled (156)
I:dnssec:check that 'rndc signing -clear' without additional arguments is handled (157)
I:dnssec:check that 'rndc signing -clear all' without zone is handled (158)
I:dnssec:check that 'rndc signing -nsec3param' without additional arguments is handled (159)
I:dnssec:check that 'rndc signing -nsec3param none' without zone is handled (160)
I:dnssec:check that 'rndc signing -nsec3param 1' without additional arguments is handled (161)
I:dnssec:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled (162)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled (163)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled (164)
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.
I:dnssec:failed
I:dnssec:check that 'rndc signing -nsec3param' works with salt (165)
I:dnssec:check that 'rndc signing -nsec3param' works without salt (166)
I:dnssec:check that 'rndc signing -nsec3param' works with 'auto' as salt (167)
I:dnssec:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt (168)
...
```

It seems to me that a TCP connection opened by an `rndc status` [command][1] was immediately torn down with the following log message:

```
12-Dec-2019 0:07:33.960 invalid command from 10.53.0.3#54441: duplicate
```

Apparently this log message is produced by one of the `log_invalid()` calls in `bin/named/controlconf.c:control_recvmessage()`, but I was unable to quickly determine which one it may be.  Any ideas?  This seems to happen rather rarely.

[1]: https://gitlab.isc.org/isc-private/bind9/blob/ea409239d52814e58c6d3761035dbc1b3a76ab87/bin/tests/system/dnssec/tests.sh#L2565

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.