9.16.11 -> 9.16.12 breaks AXFR (for me)
Summary
I updated from bind 9.16.11 to 9.16.12 on arch linux, restarted named and AXFR queries are now being rejected by my server.
BIND version used
BIND 9.16.12 (Stable Release) <id:aeb943d>
running on Linux x86_64 5.10.16-arch1-1 #1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--enable-dnsrps' '--with-python=/usr/bin/python' '--with-maxminddb' '--with-openssl' '--with-libidn2' '--with-json-c' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -DDIG_SIGCHASE -fcommon' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.0
compiled with OpenSSL version: OpenSSL 1.1.1i 8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIPSteps to reproduce
It's an up-to-date arch linux installation with named started via systemd. Only addition to the service file is:
Restart=always
RestartSec=5
ExecStartPost=/usr/bin/bash -c 'i=10; while [ $i -gt 0 ] && ! chmod g+r /var/run/named/session.key; do i=$((i-1)); sleep 1; done; [ $i -gt 0 ]'One pecularity is, that bind is only listening on 127.0.0.1, because for public access, there is dnsdist "in front".
The failure happens, when I try to get a zone from my server with dig @127.0.0.1 ddns.eckner.net. AXFR.
What is the current bug behavior?
dig @127.0.0.1 ddns.eckner.net. AXFR fails with:
; <<>> DiG 9.16.12 <<>> @127.0.0.1 ddns.eckner.net AXFR
; (1 server found)
;; global options: +cmd
; Transfer failed.What is the expected correct behavior?
When running bind version 9.16.11, I properly get the zone with the above command:
; <<>> DiG 9.16.11 <<>> @127.0.0.1 ddns.eckner.net AXFR
; (1 server found)
;; global options: +cmd
ddns.eckner.net. 86400 IN SOA eckner.net. ddns.eckner.net. 2023118656 28800 14400 2419200 86400
ddns.eckner.net. 86400 IN NS ns2.eckner.net.
ddns.eckner.net. 86400 IN NS ns3.eckner.net.
ddns.eckner.net. 86400 IN NS uz5x36jqv06q5yulzwcblfzcrk1b479xdttdm1nrgfglzs57bmctl8.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz56xw8h7fw656bpfv84pctjbl9rbzbqrw4rpzdhtvzyltpjdmx0zq.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz5x6wcwzfbjs8fkmkuchydn9339lf7xbxdmnp038cmyjlgg9sprr2.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz588h0rhwuu3cc03gm9uckw0w42cqr459wn1nxrbzhym2wd81zydb.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz5qfm8n244kn4qz8mh437w9kzvpudduwyldp5361v9n0vh8sx5ucu.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz5w6sb91zt99b73bznfkvtd0j1snxby06gg4hr0p8uum27n0hf6cd.free.ns.buddyns.com.
ddns.eckner.net. 86400 IN NS uz52u1wtmumlrx5fwu6nmv22ntcddxcjjw41z8sfd6ur9n7797lrv9.free.ns.buddyns.com.
... zone data ...
ddns.eckner.net. 86400 IN SOA eckner.net. ddns.eckner.net. 2023118656 28800 14400 2419200 86400
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 19 16:16:39 CET 2021
;; XFR size: 763 records (messages 2, bytes 19821)Relevant configuration files
The interesting parts are probably only the options and zone "ddns.eckner.net" IN section, but I'm not sure, so I'll post all:
controls {
inet 127.0.0.1 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
options {
directory "/var/named";
hostname none;
listen-on {
127.0.0.1/32;
};
listen-on-v6 {
::1/128;
};
pid-file "/run/named/named.pid";
server-id none;
version none;
allow-recursion {
"any";
};
recursion yes;
response-policy {
zone "rpz";
};
allow-transfer {
"none";
};
notify-source-v6 ::1;
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "bbs" in {
type slave;
file "/etc/opennic/slave/bbs.zone";
masters {
207.192.71.13;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "chan" in {
type slave;
file "/etc/opennic/slave/chan.zone";
masters {
94.103.153.176;
2a02:990:219:1:ba:1337:cafe:3;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "cyb" in {
type slave;
file "/etc/opennic/slave/cyb.zone";
masters {
79.124.7.81;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "dns.opennic.glue" in {
type slave;
file "/etc/opennic/slave/dns.opennic.glue.zone";
masters {
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "dyn" in {
type slave;
file "/etc/opennic/slave/dyn.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "epic" in {
type slave;
file "/etc/opennic/slave/epic.zone";
masters {
144.76.103.143;
2a01:4f8:192:43a5::2;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "geek" in {
type slave;
file "/etc/opennic/slave/geek.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "gopher" in {
type slave;
file "/etc/opennic/slave/gopher.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "indy" in {
type slave;
file "/etc/opennic/slave/indy.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "libre" in {
type slave;
file "/etc/opennic/slave/libre.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "neo" in {
type slave;
file "/etc/opennic/slave/neo.zone";
masters {
104.168.144.17;
2001:470:8269::53;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "null" in {
type slave;
file "/etc/opennic/slave/null.zone";
masters {
188.226.146.136;
2001:470:1f04:ebf::2;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "o" in {
type slave;
file "/etc/opennic/slave/o.zone";
masters {
51.75.173.177;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "opennic.glue" in {
type slave;
file "/etc/opennic/slave/opennic.glue.zone";
masters {
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "oss" in {
type slave;
file "/etc/opennic/slave/oss.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "oz" in {
type slave;
file "/etc/opennic/slave/oz.zone";
masters {
188.226.146.136;
2001:470:1f04:ebf::2;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "parody" in {
type slave;
file "/etc/opennic/slave/parody.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "pirate" in {
type slave;
file "/etc/opennic/slave/pirate.zone";
masters {
161.97.219.84;
2001:470:4212:10:0:100:53:10;
168.119.153.26;
195.201.99.61;
2a01:4f8:c17:fa94::;
2a01:4f8:c2c:e789::;
};
notify no;
};
zone "rpz" {
type master;
file "rpz.zone";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
};
zone "e.c.6.f.0.d.0.0.1.0.a.2.ip6.arpa" IN {
type master;
file "/var/named/e.c.6.f.0.d.0.0.1.0.a.2.ip6.arpa.zone";
update-policy local;
allow-transfer {
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "1.0.10.in-addr.arpa" IN {
type master;
file "/var/named/1.0.10.in-addr.arpa.zone";
allow-transfer {
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "2.0.10.in-addr.arpa" IN {
type master;
file "/var/named/2.0.10.in-addr.arpa.zone";
update-policy local;
allow-transfer {
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "/var/named/0.168.192.in-addr.arpa.zone";
update-policy local;
allow-transfer {
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "/var/named/1.168.192.in-addr.arpa.zone";
update-policy local;
allow-transfer {
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "ddns.eckner.net" IN {
type master;
file "/var/named/ddns.eckner.net.zone";
update-policy local;
allow-transfer {
69.65.50.192/32;
127.0.0.1/32;
10.0.1.1/32;
};
also-notify {
10.0.1.1;
};
};
zone "home.eckner.net" IN {
type slave;
file "/var/named/home.eckner.net.zone";
masters {
10.0.1.1;
};
notify no;
};Relevant logs and/or screenshots
for the failed transfer attempt, named.run shows:
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 (no-peer): allocate new client
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: TCP request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: using view '_default'
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: request is not signed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: recursion available
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): AXFR request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): zone transfer setup failed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): reset client
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: freeing client