Skip to content

BIND 9.16, must stop named, delete .jnl files for signed zones to be updated

Summary

For a signed zone to be updated I have to stop named, delete all the "." files, update the serial number and then start named again. If I do a normal update, just update the serial number and then run "rndc reload", I got this error message "29-May-2021 13:54:52.008 general: error: zone ******.se/IN (signed): receive_secure_serial: unchanged", and the zone don't update. I have had this issue in previous versions also, now I run 9.16.16.

BIND version used

BIND 9.16.16 (Stable Release) <id:0c314d8>
running on Linux x86_64 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021
built by make with '--prefix=/service/dns/bind-9.16.16' '--sysconfdir=/data/dns/named' '--localstatedir=/var' '--with-openssl=/service/dns/openssl' 'LDFLAGS=-ldl'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
compiled with libuv version: 1.23.1
linked to libuv version: 1.23.1
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /data/dns/named/named.conf
  rndc configuration:   /data/dns/named/rndc.conf
  DNSSEC root key:      /data/dns/named/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Update the serial number for signed zone och then do a "rndc reload"

What is the current bug behavior?

The zone doesn't update

What is the expected correct behavior?

The zone should be updated after I have changed the serial number

Relevant configuration files

I use a manually policy for signed zones, "dnssec-policy modified;"

dnssec-policy "modified" {
        keys {
                csk lifetime unlimited algorithm rsasha256 2048;
        };
};

Relevant logs and/or screenshots

"29-May-2021 13:54:52.008 general: error: zone ******.se/IN (signed): receive_secure_serial: unchanged"

Possible fixes

The workaround is to stop named, delete all "." files (.jbk, .jnl, .signed, .signed.jnl), update the serial number, start named again.

Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information