Automatic zone text file inlining replaces $INCLUDE file references with stale data
Summary
My zone files use the $INCLUDE directive a lot. For example, TLSA checksums (generated by a toolchain unrelated to named) are propagated that way.
Unfortunately, named won’t reflect changes to the $INCLUDE’d files, unless a hard reset with .jnl file deletion is carried out.
BIND version used
BIND 9.17.16 (Development Release) <id:b33f621>
running on Linux x86_64 5.12.15-arch1-1-zen2 #1 SMP PREEMPT Sun, 11 Jul 2021 10:50:03 +0000
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--sbindir=/usr/bin' '--localstatedir=/var' '--disable-static' '--enable-fixed-rrset' '--enable-full-report' '--with-python=/usr/bin/python' '--with-maxminddb' '--with-openssl' '--with-libidn2' '--with-json-c' '--with-libxml2' '--with-lmdb' '--with-libtool' 'CFLAGS=-march=native -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -DDIG_SIGCHASE -fcommon' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'
compiled by GCC 11.1.0
compiled with OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021
compiled with libuv version: 1.41.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.44.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.6.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIPSteps to reproduce
-
rndc freeze
…edit$INCLUDE’d files…
…increase all zones’ serials…
rndc thaw -
(0), and, on top of that:
rndc reload -
(1), and, on top of that:
systemctl restart named
What is the current bug behavior?
Changes to $INCLUDE’d files have no effect, the server just doesn’t know about the new data — even after a restart.
What is the expected correct behavior?
All zones affected by changed $INCLUDE’d files should reflect the new state already after a simple freeze → edit → thaw, not to mention a reload or a systemctl restart of the whole server.
The only way I could make the zone update happen was:
systemctl stop named
rm /var/named/*.jnl # uh oh!
systemctl start namedAfter this^^^ the zones did get updated, but … well, I would expect named to be able to stay “online” during such an update, with just a simple freeze and thaw, or, in the worst case, a reload.
Relevant configuration files
As mentioned in #2844 (closed), there are lots of them. I’ll be more than happy to post some relevant snippets upon request. (Not sure which one to pick.)
Relevant logs and/or screenshots
Something surprising are the following messages for all zones:
Aug 02 10:30:46 named[3960]: zone tmpwireless4.domain.censored/IN/loopback: zone serial (2021072733) unchanged. zone may fail to transfer to slaves.Unlike the repetitive freeze errors described in #2844 (closed), this^^^ message appears only once per zone and despite the fact that the zone serial did change. Not sure if it could be (also) in-view-related or not.