rndc stops listening on public network interface
Summary
rndc can be seen listening on port 953 on the loopback and public network interfaces. Some time later, it can be seen listening only on 127.0.0.1. This has been observed with BIND 9.16.9, and 9.16.12 running on CentOS 8
BIND version used
From ISC COPR respository
BIND 9.16.12 (Stable Release) <id:aeb943d>
running on Linux x86_64 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libtool' '--with-libxml2' '--without-lmdb' '--with-python' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/opt/isc/isc-bind/root/usr/lib64' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.16.12/sphinx/bin/sphinx-build'
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
Steps to reproduce
- Let the processes start as normal
- View listening connections with 'ss -lnt' to observe ports 53 and 953 on both loopback and public interfaces
- Wait
- Sometime later 'ss -lnt' will show ports 53 listening as expected, but 953 listening only on the loopback interface
- 'rndc reconfig' will cause it to begin listening again
What is the current bug behavior?
Attempts to use rndc from remote hosts fail.
What is the expected correct behavior?
rndc continues listening on port 953 until the process is instructed to stop
Relevant configuration files
controls {
inet 127.0.0.1 port 953 allow {
127.0.0.1/32;
} keys {
"ns62-key";
};
inet 10.213.0.201 port 953 allow {
10.203.163.72/32;
10.204.163.70/32;
} keys {
"for-nsp2-to-a-us2";
"for-nsp1-to-a-us2";
};
};
key "for-nsp2-to-a-us2" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "for-nsp1-to-a-us2" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "ns62-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
Relevant logs and/or screenshots
As expected:
ns62:~> ss -lnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 10 10.213.0.201:53 0.0.0.0:*
LISTEN 0 10 10.213.0.201:53 0.0.0.0:*
LISTEN 0 10 127.0.0.1:53 0.0.0.0:*
LISTEN 0 10 127.0.0.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 10.213.0.201:953 0.0.0.0:*
LISTEN 0 128 127.0.0.1:953 0.0.0.0:*
LISTEN 0 128 0.0.0.0:5355 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:5355 [::]:*
When failed, the following line is missing:
LISTEN 0 128 10.213.0.201:953 0.0.0.0:*