Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 603
    • Issues 603
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2505
Closed
Open
Issue created Feb 19, 2021 by Erich Eckner@deep42thought

9.16.11 -> 9.16.12 breaks AXFR (for me)

Summary

I updated from bind 9.16.11 to 9.16.12 on arch linux, restarted named and AXFR queries are now being rejected by my server.

BIND version used

BIND 9.16.12 (Stable Release) <id:aeb943d>
running on Linux x86_64 5.10.16-arch1-1 #1 SMP PREEMPT Sat, 13 Feb 2021 20:50:18 +0000
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--enable-dnsrps' '--with-python=/usr/bin/python' '--with-maxminddb' '--with-openssl' '--with-libidn2' '--with-json-c' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -DDIG_SIGCHASE -fcommon' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.0
compiled with OpenSSL version: OpenSSL 1.1.1i  8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1j  16 Feb 2021
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.0
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

It's an up-to-date arch linux installation with named started via systemd. Only addition to the service file is:

Restart=always
RestartSec=5
ExecStartPost=/usr/bin/bash -c 'i=10; while [ $i -gt 0 ] && ! chmod g+r /var/run/named/session.key; do i=$((i-1)); sleep 1; done; [ $i -gt 0 ]'

One pecularity is, that bind is only listening on 127.0.0.1, because for public access, there is dnsdist "in front". The failure happens, when I try to get a zone from my server with dig @127.0.0.1 ddns.eckner.net. AXFR.

What is the current bug behavior?

dig @127.0.0.1 ddns.eckner.net. AXFR fails with:

; <<>> DiG 9.16.12 <<>> @127.0.0.1 ddns.eckner.net AXFR
; (1 server found)
;; global options: +cmd
; Transfer failed.

What is the expected correct behavior?

When running bind version 9.16.11, I properly get the zone with the above command:

; <<>> DiG 9.16.11 <<>> @127.0.0.1 ddns.eckner.net AXFR
; (1 server found)
;; global options: +cmd
ddns.eckner.net.        86400   IN      SOA     eckner.net. ddns.eckner.net. 2023118656 28800 14400 2419200 86400
ddns.eckner.net.        86400   IN      NS      ns2.eckner.net.
ddns.eckner.net.        86400   IN      NS      ns3.eckner.net.
ddns.eckner.net.        86400   IN      NS      uz5x36jqv06q5yulzwcblfzcrk1b479xdttdm1nrgfglzs57bmctl8.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz56xw8h7fw656bpfv84pctjbl9rbzbqrw4rpzdhtvzyltpjdmx0zq.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz5x6wcwzfbjs8fkmkuchydn9339lf7xbxdmnp038cmyjlgg9sprr2.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz588h0rhwuu3cc03gm9uckw0w42cqr459wn1nxrbzhym2wd81zydb.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz5qfm8n244kn4qz8mh437w9kzvpudduwyldp5361v9n0vh8sx5ucu.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz5w6sb91zt99b73bznfkvtd0j1snxby06gg4hr0p8uum27n0hf6cd.free.ns.buddyns.com.
ddns.eckner.net.        86400   IN      NS      uz52u1wtmumlrx5fwu6nmv22ntcddxcjjw41z8sfd6ur9n7797lrv9.free.ns.buddyns.com.
... zone data ...
ddns.eckner.net.        86400   IN      SOA     eckner.net. ddns.eckner.net. 2023118656 28800 14400 2419200 86400
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Feb 19 16:16:39 CET 2021
;; XFR size: 763 records (messages 2, bytes 19821)

Relevant configuration files

The interesting parts are probably only the options and zone "ddns.eckner.net" IN section, but I'm not sure, so I'll post all:

controls {
	inet 127.0.0.1 allow {
		127.0.0.1/32;
	} keys {
		"rndc-key";
	};
};
options {
	directory "/var/named";
	hostname none;
	listen-on {
		127.0.0.1/32;
	};
	listen-on-v6 {
		::1/128;
	};
	pid-file "/run/named/named.pid";
	server-id none;
	version none;
	allow-recursion {
		"any";
	};
	recursion yes;
	response-policy {
		zone "rpz";
	};
	allow-transfer {
		"none";
	};
	notify-source-v6 ::1;
};
key "rndc-key" {
	algorithm "hmac-sha256";
	secret "????????????????????????????????????????????";
};
zone "bbs" in {
	type slave;
	file "/etc/opennic/slave/bbs.zone";
	masters {
		207.192.71.13;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "chan" in {
	type slave;
	file "/etc/opennic/slave/chan.zone";
	masters {
		94.103.153.176;
		2a02:990:219:1:ba:1337:cafe:3;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "cyb" in {
	type slave;
	file "/etc/opennic/slave/cyb.zone";
	masters {
		79.124.7.81;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "dns.opennic.glue" in {
	type slave;
	file "/etc/opennic/slave/dns.opennic.glue.zone";
	masters {
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "dyn" in {
	type slave;
	file "/etc/opennic/slave/dyn.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "epic" in {
	type slave;
	file "/etc/opennic/slave/epic.zone";
	masters {
		144.76.103.143;
		2a01:4f8:192:43a5::2;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "geek" in {
	type slave;
	file "/etc/opennic/slave/geek.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "gopher" in {
	type slave;
	file "/etc/opennic/slave/gopher.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "indy" in {
	type slave;
	file "/etc/opennic/slave/indy.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "libre" in {
	type slave;
	file "/etc/opennic/slave/libre.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "neo" in {
	type slave;
	file "/etc/opennic/slave/neo.zone";
	masters {
		104.168.144.17;
		2001:470:8269::53;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "null" in {
	type slave;
	file "/etc/opennic/slave/null.zone";
	masters {
		188.226.146.136;
		2001:470:1f04:ebf::2;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "o" in {
	type slave;
	file "/etc/opennic/slave/o.zone";
	masters {
		51.75.173.177;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "opennic.glue" in {
	type slave;
	file "/etc/opennic/slave/opennic.glue.zone";
	masters {
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "oss" in {
	type slave;
	file "/etc/opennic/slave/oss.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "oz" in {
	type slave;
	file "/etc/opennic/slave/oz.zone";
	masters {
		188.226.146.136;
		2001:470:1f04:ebf::2;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "parody" in {
	type slave;
	file "/etc/opennic/slave/parody.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "pirate" in {
	type slave;
	file "/etc/opennic/slave/pirate.zone";
	masters {
		161.97.219.84;
		2001:470:4212:10:0:100:53:10;
		168.119.153.26;
		195.201.99.61;
		2a01:4f8:c17:fa94::;
		2a01:4f8:c2c:e789::;
	};
	notify no;
};
zone "rpz" {
	type master;
	file "rpz.zone";
};
zone "localhost" IN {
	type master;
	file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "127.0.0.zone";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
	type master;
	file "localhost.ip6.zone";
};
zone "e.c.6.f.0.d.0.0.1.0.a.2.ip6.arpa" IN {
	type master;
	file "/var/named/e.c.6.f.0.d.0.0.1.0.a.2.ip6.arpa.zone";
	update-policy local;
	allow-transfer {
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "1.0.10.in-addr.arpa" IN {
	type master;
	file "/var/named/1.0.10.in-addr.arpa.zone";
	allow-transfer {
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "2.0.10.in-addr.arpa" IN {
	type master;
	file "/var/named/2.0.10.in-addr.arpa.zone";
	update-policy local;
	allow-transfer {
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "0.168.192.in-addr.arpa" IN {
	type master;
	file "/var/named/0.168.192.in-addr.arpa.zone";
	update-policy local;
	allow-transfer {
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "1.168.192.in-addr.arpa" IN {
	type master;
	file "/var/named/1.168.192.in-addr.arpa.zone";
	update-policy local;
	allow-transfer {
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "ddns.eckner.net" IN {
	type master;
	file "/var/named/ddns.eckner.net.zone";
	update-policy local;
	allow-transfer {
		69.65.50.192/32;
		127.0.0.1/32;
		10.0.1.1/32;
	};
	also-notify {
		10.0.1.1;
	};
};
zone "home.eckner.net" IN {
	type slave;
	file "/var/named/home.eckner.net.zone";
	masters {
		10.0.1.1;
	};
	notify no;
};

Relevant logs and/or screenshots

for the failed transfer attempt, named.run shows:

19-Feb-2021 13:56:01.276 client @0x7f37c8015028 (no-peer): allocate new client
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: TCP request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: using view '_default'
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: request is not signed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: recursion available
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): AXFR request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): zone transfer setup failed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): reset client
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: freeing client
Assignee
Assign to
Time tracking