Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 604
    • Issues 604
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2897
Closed
Open
Issue created Sep 09, 2021 by Jakob Dhondt@jdhondt

rndc thaw does not process manually made changes to a dynamic zone

Summary

When freezing a dynamic zone with rndc freeze <zone>, manually editing the zone file and then unfreezing the zone with rndc thaw <zone> the manual changes do not seem to be processed. E.g. when manually adding an entry it won't be returned after unfreezing the zone, when querying it with dig. If I am not misunderstanding the documentation the following paragraph seems to suggest that manual changes to a dynamic zone should be immediately processed as described.

To make changes to a dynamic zone manually, follow these steps: first, disable dynamic updates to the zone using rndc freeze zone. This updates the zone file with the changes stored in its .jnl file. Then, edit the zone file. Finally, run rndc thaw zone to reload the changed zone and re-enable dynamic updates.

This seems to be related to issue #2186.

BIND version used

BIND 9.16.20 (Extended Support Version) <id:26db37f>
running on Linux x86_64 3.10.0-1160.25.1.el7.x86_64 #1 SMP Tue Apr 13 18:55:45 EDT 2021
built by make with '--build=x86_64-koji-linux-gnu' '--host=x86_64-koji-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/named' '--bindir=/opt/named/bin' '--sbindir=/opt/named/sbin' '--sysconfdir=/etc' '--datadir=/opt/named/share' '--includedir=/opt/named/include' '--libdir=/opt/named/lib64' '--libexecdir=/opt/named/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/opt/named/share/man' '--infodir=/opt/named/share/info' '--exec-prefix=/opt/named' '--disable-static' '--enable-dnstap' '--disable-openssl-version-check' '--with-randomdev=/dev/urandom' '--with-pic' '--with-json-c' '--with-libtool' '--with-libxml2' '--without-lmdb' '--with-tuning=large' '--with-python' '--with-python-install-dir=/opt/named/usr/lib/python2.7/site-packages' '--with-docbook-xsl=/opt/named/share/sgml/docbook/xsl-stylesheets' '--includedir=/opt/named/include/bind9' 'build_alias=x86_64-koji-linux-gnu' 'host_alias=x86_64-koji-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/opt/named/lib64/pkgconfig:/opt/named/share/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
compiled with protobuf-c version: 1.0.2
linked to protobuf-c version: 1.0.2
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

  1. Have a dynamic zone with the following config and content.
zone "zone.dyn-test.rpz.switch.ch" {
        type master;
        file "dynamic/zone.dyn-test.rpz.switch.ch";
        update-policy {
                grant "zone.dyn-test.rpz.switch.ch.tsig" subdomain "zone.dyn-test.rpz.switch.ch" "ANY";
        };
        dnssec-policy "none";
};
$ORIGIN .
$TTL 300    ; 5 minutes
zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. (
                2021073347 ; serial
                600        ; refresh (10 minutes)
                300        ; retry (5 minutes)
                604800     ; expire (1 week)
                300        ; minimum (5 minutes)
                )
            NS  bona.switch.ch.
  1. Check that dynamic updates work
  • on a different machine that is allowed to do dynamic updates:
    nsupdate -k <tsig-key>
    > server pepsi.switch.ch
    > zone zone.dyn-test.rpz.switch.ch
    > update add test.zone.dyn-test.rpz.switch.ch 300 a 127.0.0.1
    > send
  • check for the record on the nameserver:
    $ dig test.zone.dyn-test.rpz.switch.ch @localhost +norec
    
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> test.zone.dyn-test.rpz.switch.ch @localhost +norec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23411
    ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;test.zone.dyn-test.rpz.switch.ch. IN	A
    
    ;; ANSWER SECTION:
    test.zone.dyn-test.rpz.switch.ch. 300 IN A	127.0.0.1
    
    ;; AUTHORITY SECTION:
    zone.dyn-test.rpz.switch.ch. 300 IN	NS	bona.switch.ch.
    
    ;; Query time: 0 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Thu Sep 09 11:44:51 CEST 2021
    ;; MSG SIZE  rcvd: 105
  1. Freeze the zone, manually add a record and unfreeze the zone.
  • $ rndc freeze zone.dyn-test.rpz.switch.ch
  • Zone file correctly shows the dynamically added record.
    $ cat zone.dyn-test.rpz.switch.ch
    $ORIGIN .
    $TTL 300	; 5 minutes
    zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. (
    				2021073348 ; serial
    				600        ; refresh (10 minutes)
    				300        ; retry (5 minutes)
    				604800     ; expire (1 week)
    				300        ; minimum (5 minutes)
    				)
    			NS	bona.switch.ch.
    $ORIGIN zone.dyn-test.rpz.switch.ch.
    test			A	127.0.0.1
  • Add another record e.g.
    $ cat zone.dyn-test.rpz.switch.ch
    $ORIGIN .
    $TTL 300	; 5 minutes
    zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. (
    				2021073348 ; serial
    				600        ; refresh (10 minutes)
    				300        ; retry (5 minutes)
    				604800     ; expire (1 week)
    				300        ; minimum (5 minutes)
    				)
    			NS	bona.switch.ch.
    $ORIGIN zone.dyn-test.rpz.switch.ch.
    test			A	127.0.0.1
              A 127.0.0.2
  • $ rndc thaw zone.dyn-test.rpz.switch.ch
  • Logs:
    09-Sep-2021 11:49:50.536 general: info: received control channel command 'freeze zone.dyn-test.rpz.switch.ch'
    09-Sep-2021 11:49:52.203 general: info: freezing zone 'zone.dyn-test.rpz.switch.ch/IN': success
    09-Sep-2021 11:53:06.670 general: info: received control channel command 'thaw zone.dyn-test.rpz.switch.ch'
    09-Sep-2021 11:53:06.671 general: info: thawing zone 'zone.dyn-test.rpz.switch.ch/IN': success
  1. Query the record again.
$ dig test.zone.dyn-test.rpz.switch.ch @localhost +norec

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> test.zone.dyn-test.rpz.switch.ch @localhost +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19316
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.zone.dyn-test.rpz.switch.ch. IN	A

;; ANSWER SECTION:
test.zone.dyn-test.rpz.switch.ch. 300 IN A	127.0.0.1

;; AUTHORITY SECTION:
zone.dyn-test.rpz.switch.ch. 300 IN	NS	bona.switch.ch.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 09 11:54:39 CEST 2021
;; MSG SIZE  rcvd: 105

What is the current bug behavior?

After executing the 4 steps above only one A record is returned.

What is the expected correct behavior?

After executing the 4 steps above I'd expect there to be two A records.

Relevant configuration files

named.conf

...
some acls
...
controls {
        inet 127.0.0.1 allow {
                127.0.0.1/32;
        } keys {
                "rndc-key";
        };
        inet ::1 allow {
                ::1/128;
        } keys {
                "rndc-key";
        };
};
dnssec-policy "test" {
        dnskey-ttl 3600;
        keys {
                csk key-directory lifetime unlimited algorithm 13;
        };
        max-zone-ttl 3600;
        parent-ds-ttl 3600;
        parent-propagation-delay 3600;
        publish-safety 3600;
        retire-safety 3600;
        signatures-refresh P1D;
        zone-propagation-delay 300;
};
logging {
        channel "switch_local" {
                file "/var/log/named/named" versions 10 size 6291456;
                severity info;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        channel "switch_other" {
                file "/var/log/named/other" versions 10 size 6291456;
                severity info;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category "general" {
                "switch_local";
        };
        category "notify" {
                "switch_local";
        };
        category "xfer-in" {
                "switch_local";
        };
        category "xfer-out" {
                "switch_local";
        };
        category "network" {
                "switch_local";
        };
        category "dnssec" {
                "switch_local";
        };
        category "default" {
                "switch_other";
        };
};
options {
        directory "/etc/bind/zones";
        listen-on port 53 {
                "any";
        };
        listen-on-v6 port 53 {
                "any";
        };
        pid-file "/var/run/named/named.pid";
        server-id hostname;
        transfers-in 100;
        transfers-out 100;
        transfers-per-ns 10;
        version "contact dns-operation@switch.ch";
        allow-query-cache {
                "none";
        };
        check-names master warn;
        dnssec-validation no;
        ixfr-from-differences yes;
        query-source address 130.59.117.36 port 0;
        query-source-v6 address 2001:620:0:1005:21a:4aff:fede:5a port 0;
        recursion no;
        allow-transfer {
                "XFR-SWITCH";
        };
        check-integrity no;
        check-sibling no;
        notify explicit;
        notify-source 130.59.117.36;
        notify-source-v6 2001:620:0:1005:21a:4aff:fede:5a;
        transfer-source 130.59.117.36;
        transfer-source-v6 2001:620:0:1005:21a:4aff:fede:5a;
        use-alt-transfer-source no;
};
statistics-channels {
        inet 127.0.0.1 port 8053 allow {
                127.0.0.1/32;
        };
        inet ::1 port 8053 allow {
                ::1/128;
        };
};
key "rndc-key" {
        algorithm "hmac-md5";
        secret "????????????????????????";
};
...
more keys
...
key "zone.dyn-test.rpz.switch.ch.tsig" {
        algorithm "HMAC-SHA512";
        secret "????????????????????????????????????????????????????????????????????????????????????????";
};
...
more zones
...
zone "zone.dyn-test.rpz.switch.ch" {
        type master;
        file "dynamic/zone.dyn-test.rpz.switch.ch";
        update-policy {
                grant "zone.dyn-test.rpz.switch.ch.tsig" subdomain "zone.dyn-test.rpz.switch.ch" "ANY";
        };
        dnssec-policy "none";
};

I removed some parts of the config. I hope they're not relevant.

Relevant logs and/or screenshots

See above.

Possible fixes

Assignee
Assign to
Time tracking