signing a zone fails if the same zone file is used in several views
Summary
named will fails to sign a zone if that zone is present in multiple views and use the same source zone file.
In my example, those zones use the same dnssec-policy, but the issue also happens with distinct policies.
BIND version used
BIND 9.16.15 (Stable Release) <id:4469e3e>
running on Linux x86_64 5.12.4-arch1-2 #1 SMP PREEMPT Sat, 15 May 2021 20:58:02 +0000
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--enable-dnsrps' '--with-python=/usr/bin/python' '--with-maxminddb' '--with-openssl' '--with-libidn2' '--with-json-c' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -DDIG_SIGCHASE -fcommon' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.0
compiled with OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.6.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- Use the provided
/etc/named.conf
and/var/named/example.org.zone
below for a new named config. - Start named
- Error messages appear in the logs (see first log below)
- Increment the serial in the zone file and run
rndc reload
- Another flurry of error messages appear in the logs (see second log below)
What is the current bug behavior?
Signing the zone fails and confusing error messages about a malformed transaction with mismatched serials are logged.
What is the expected correct behavior?
One of those behaviors:
- Fail to load the configuration with a helpful error message indicating that you must use a different zone file in each view, even if the content is the same (e.g. copy the zone file or make a symlink)
- Add a suffix to the generated signed zone files so that their names are distinct per view.
Relevant configuration files
named.conf
options {
directory "/var/named";
pid-file "/run/named/named.pid";
auth-nxdomain yes;
datasize default;
listen-on-v6 { any; };
allow-recursion { none; };
allow-transfer { none; };
allow-update { none; };
recursion no;
notify no;
version none;
hostname none;
server-id none;
max-cache-size 5%;
key-directory "dnssec-keys";
};
acl "guest" {
192.168.99.0/24;
};
dnssec-policy custom {
keys {
csk lifetime unlimited algorithm ecdsa256;
};
};
view "internet" {
match-clients { any; };
zone "example.org" IN {
type master;
file "example.org.zone";
dnssec-policy custom;
};
};
view "guest" {
match-clients { guest; };
zone "example.org" IN {
type master;
file "example.org.zone";
dnssec-policy custom;
};
};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
channel default-log {
syslog daemon;
severity warning;
print-category yes;
print-severity yes;
};
category default { default-log; };
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
example.org.zone
@ 1D IN SOA exemple.org. root.example.org. (
2021051911 ; serial (yyyymmdd##)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum ttl
1D IN NS example.org.
example.org. 1D IN A 10.0.0.1
www.example.org. 1D IN A 10.0.0.1
Relevant logs and/or screenshots
Errors on first start with all the keys, .signed files and .jnl files removed:
general: error: zone example.org/IN/guest (signed): receive_secure_serial: unchanged
general: error: zone example.org/IN/internet (signed): receive_secure_serial: unchanged
general: error: malformed transaction: example.org.zone.signed.jnl last serial 2021051912 != transaction first serial 2021051911
general: error: zone example.org/IN/internet (signed): zone_rekey:dns_journal_write_transaction -> unexpected error
Errors after incrementing the zone serial and reloading:
general: error: zone example.org/IN/internet (signed): could not get zone keys for secure dynamic update
general: error: malformed transaction: example.org.zone.signed.jnl last serial 2021051913 != transaction first serial 2021051911
general: error: zone example.org/IN/internet (signed): receive_secure_serial:dns_journal_write_transaction -> unexpected error
general: error: zone example.org/IN/internet (signed): receive_secure_serial: unexpected error
general: error: malformed transaction: example.org.zone.jnl last serial 2021052100 != transaction first serial 2021051911
general: error: zone example.org/IN/guest (unsigned): ixfr-from-differences: failed: Success
general: error: malformed transaction: example.org.zone.signed.jnl last serial 2021051913 != transaction first serial 2021051911
general: error: zone example.org/IN/internet (signed): zone_rekey:dns_journal_write_transaction -> unexpected error
general: error: zone example.org/IN/guest (signed): could not get zone keys for secure dynamic update
Possible fixes
Copy the zone file or symlink it as many times there are views using it.