rndc thaw does not process manually made changes to a dynamic zone
Summary
When freezing a dynamic zone with rndc freeze <zone>, manually editing the zone file and then unfreezing the zone with rndc thaw <zone> the manual changes do not seem to be processed. E.g. when manually adding an entry it won't be returned after unfreezing the zone, when querying it with dig. If I am not misunderstanding the documentation the following paragraph seems to suggest that manual changes to a dynamic zone should be immediately processed as described.
To make changes to a dynamic zone manually, follow these steps: first, disable dynamic updates to the zone using rndc freeze zone. This updates the zone file with the changes stored in its .jnl file. Then, edit the zone file. Finally, run rndc thaw zone to reload the changed zone and re-enable dynamic updates.
This seems to be related to issue #2186.
BIND version used
BIND 9.16.20 (Extended Support Version) <id:26db37f>
running on Linux x86_64 3.10.0-1160.25.1.el7.x86_64 #1 SMP Tue Apr 13 18:55:45 EDT 2021
built by make with '--build=x86_64-koji-linux-gnu' '--host=x86_64-koji-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/named' '--bindir=/opt/named/bin' '--sbindir=/opt/named/sbin' '--sysconfdir=/etc' '--datadir=/opt/named/share' '--includedir=/opt/named/include' '--libdir=/opt/named/lib64' '--libexecdir=/opt/named/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/opt/named/share/man' '--infodir=/opt/named/share/info' '--exec-prefix=/opt/named' '--disable-static' '--enable-dnstap' '--disable-openssl-version-check' '--with-randomdev=/dev/urandom' '--with-pic' '--with-json-c' '--with-libtool' '--with-libxml2' '--without-lmdb' '--with-tuning=large' '--with-python' '--with-python-install-dir=/opt/named/usr/lib/python2.7/site-packages' '--with-docbook-xsl=/opt/named/share/sgml/docbook/xsl-stylesheets' '--includedir=/opt/named/include/bind9' 'build_alias=x86_64-koji-linux-gnu' 'host_alias=x86_64-koji-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/opt/named/lib64/pkgconfig:/opt/named/share/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
compiled with protobuf-c version: 1.0.2
linked to protobuf-c version: 1.0.2
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lockSteps to reproduce
- Have a dynamic zone with the following config and content.
zone "zone.dyn-test.rpz.switch.ch" {
type master;
file "dynamic/zone.dyn-test.rpz.switch.ch";
update-policy {
grant "zone.dyn-test.rpz.switch.ch.tsig" subdomain "zone.dyn-test.rpz.switch.ch" "ANY";
};
dnssec-policy "none";
};$ORIGIN .
$TTL 300 ; 5 minutes
zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. (
2021073347 ; serial
600 ; refresh (10 minutes)
300 ; retry (5 minutes)
604800 ; expire (1 week)
300 ; minimum (5 minutes)
)
NS bona.switch.ch.- Check that dynamic updates work
- on a different machine that is allowed to do dynamic updates:
nsupdate -k <tsig-key> > server pepsi.switch.ch > zone zone.dyn-test.rpz.switch.ch > update add test.zone.dyn-test.rpz.switch.ch 300 a 127.0.0.1 > send - check for the record on the nameserver:
$ dig test.zone.dyn-test.rpz.switch.ch @localhost +norec ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> test.zone.dyn-test.rpz.switch.ch @localhost +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23411 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;test.zone.dyn-test.rpz.switch.ch. IN A ;; ANSWER SECTION: test.zone.dyn-test.rpz.switch.ch. 300 IN A 127.0.0.1 ;; AUTHORITY SECTION: zone.dyn-test.rpz.switch.ch. 300 IN NS bona.switch.ch. ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Sep 09 11:44:51 CEST 2021 ;; MSG SIZE rcvd: 105
- Freeze the zone, manually add a record and unfreeze the zone.
$ rndc freeze zone.dyn-test.rpz.switch.ch- Zone file correctly shows the dynamically added record.
$ cat zone.dyn-test.rpz.switch.ch $ORIGIN . $TTL 300 ; 5 minutes zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. ( 2021073348 ; serial 600 ; refresh (10 minutes) 300 ; retry (5 minutes) 604800 ; expire (1 week) 300 ; minimum (5 minutes) ) NS bona.switch.ch. $ORIGIN zone.dyn-test.rpz.switch.ch. test A 127.0.0.1 - Add another record e.g.
$ cat zone.dyn-test.rpz.switch.ch $ORIGIN . $TTL 300 ; 5 minutes zone.dyn-test.rpz.switch.ch IN SOA bona.switch.ch. dns-operation.switch.ch. ( 2021073348 ; serial 600 ; refresh (10 minutes) 300 ; retry (5 minutes) 604800 ; expire (1 week) 300 ; minimum (5 minutes) ) NS bona.switch.ch. $ORIGIN zone.dyn-test.rpz.switch.ch. test A 127.0.0.1 A 127.0.0.2 $ rndc thaw zone.dyn-test.rpz.switch.ch- Logs:
09-Sep-2021 11:49:50.536 general: info: received control channel command 'freeze zone.dyn-test.rpz.switch.ch' 09-Sep-2021 11:49:52.203 general: info: freezing zone 'zone.dyn-test.rpz.switch.ch/IN': success 09-Sep-2021 11:53:06.670 general: info: received control channel command 'thaw zone.dyn-test.rpz.switch.ch' 09-Sep-2021 11:53:06.671 general: info: thawing zone 'zone.dyn-test.rpz.switch.ch/IN': success
- Query the record again.
$ dig test.zone.dyn-test.rpz.switch.ch @localhost +norec
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> test.zone.dyn-test.rpz.switch.ch @localhost +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19316
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.zone.dyn-test.rpz.switch.ch. IN A
;; ANSWER SECTION:
test.zone.dyn-test.rpz.switch.ch. 300 IN A 127.0.0.1
;; AUTHORITY SECTION:
zone.dyn-test.rpz.switch.ch. 300 IN NS bona.switch.ch.
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 09 11:54:39 CEST 2021
;; MSG SIZE rcvd: 105What is the current bug behavior?
After executing the 4 steps above only one A record is returned.
What is the expected correct behavior?
After executing the 4 steps above I'd expect there to be two A records.
Relevant configuration files
named.conf
...
some acls
...
controls {
inet 127.0.0.1 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
inet ::1 allow {
::1/128;
} keys {
"rndc-key";
};
};
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
csk key-directory lifetime unlimited algorithm 13;
};
max-zone-ttl 3600;
parent-ds-ttl 3600;
parent-propagation-delay 3600;
publish-safety 3600;
retire-safety 3600;
signatures-refresh P1D;
zone-propagation-delay 300;
};
logging {
channel "switch_local" {
file "/var/log/named/named" versions 10 size 6291456;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "switch_other" {
file "/var/log/named/other" versions 10 size 6291456;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "general" {
"switch_local";
};
category "notify" {
"switch_local";
};
category "xfer-in" {
"switch_local";
};
category "xfer-out" {
"switch_local";
};
category "network" {
"switch_local";
};
category "dnssec" {
"switch_local";
};
category "default" {
"switch_other";
};
};
options {
directory "/etc/bind/zones";
listen-on port 53 {
"any";
};
listen-on-v6 port 53 {
"any";
};
pid-file "/var/run/named/named.pid";
server-id hostname;
transfers-in 100;
transfers-out 100;
transfers-per-ns 10;
version "contact dns-operation@switch.ch";
allow-query-cache {
"none";
};
check-names master warn;
dnssec-validation no;
ixfr-from-differences yes;
query-source address 130.59.117.36 port 0;
query-source-v6 address 2001:620:0:1005:21a:4aff:fede:5a port 0;
recursion no;
allow-transfer {
"XFR-SWITCH";
};
check-integrity no;
check-sibling no;
notify explicit;
notify-source 130.59.117.36;
notify-source-v6 2001:620:0:1005:21a:4aff:fede:5a;
transfer-source 130.59.117.36;
transfer-source-v6 2001:620:0:1005:21a:4aff:fede:5a;
use-alt-transfer-source no;
};
statistics-channels {
inet 127.0.0.1 port 8053 allow {
127.0.0.1/32;
};
inet ::1 port 8053 allow {
::1/128;
};
};
key "rndc-key" {
algorithm "hmac-md5";
secret "????????????????????????";
};
...
more keys
...
key "zone.dyn-test.rpz.switch.ch.tsig" {
algorithm "HMAC-SHA512";
secret "????????????????????????????????????????????????????????????????????????????????????????";
};
...
more zones
...
zone "zone.dyn-test.rpz.switch.ch" {
type master;
file "dynamic/zone.dyn-test.rpz.switch.ch";
update-policy {
grant "zone.dyn-test.rpz.switch.ch.tsig" subdomain "zone.dyn-test.rpz.switch.ch" "ANY";
};
dnssec-policy "none";
};I removed some parts of the config. I hope they're not relevant.
Relevant logs and/or screenshots
See above.