Skip to content

axfr problems bind 9.17.18 under FreeBSD

Summary

Unstable zone tranfer with bind 9.17.18 under FreeBSD

BIND version used

BIND 9.17.18 (Development Release) <id:be99fc92b63ef2463cadb2f90162982ed3ed289d>
running on FreeBSD amd64 12.2-STABLE FreeBSD 12.2-STABLE stable/12-n233232-db3515d03dd ZURBAGAN
built by make with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--enable-dnsrps' '--with-readline=libedit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CFLAGS=-O2 -pipe -mtune=native  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.44.0
linked to libnghttp2 version: 1.44.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20912
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled

default paths:
  named configuration:  /usr/local/etc/namedb/named.conf
  rndc configuration:   /usr/local/etc/namedb/rndc.conf
  DNSSEC root key:      /usr/local/etc/namedb/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Build bind 9.17.18 from ports (port names: bind9-devel bind-tools) under 12.2-STABLE and setup as secondary server, or do "dig axfr zone @server". Zone tranfer will fail with 20-30% probability for zone with 10K records.

What is the expected correct behavior?

100% sucessfull zone transfers

Relevant configuration files

no configuration is requred for dig

Relevant logs and/or screenshots

tcpdump of correct and failed "dig dn.ua @93.183.202.34 axfr" attached

dig dn.ua @93.183.202.34 axfr ;; ERROR: short (< header size) message

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

I have added debug to isc__nm_tcpdns_processbuffer() lib/isc/netmgr/tcpdns.c

        len = ntohs(*(uint16_t *)sock->buf);
        printf("BAG *** isc__nm_tcpdns_processbuffer len=%zu sock->buf_len=%zu\n", len, sock->buf_len);
        if (len > sock->buf_len - 2) {

and found strange len zeroing. Failed case:

BAG *** isc__nm_tcpdns_processbuffer len=11076 sock->buf_len=2896
BAG *** isc__nm_tcpdns_processbuffer len=0 sock->buf_len=4344

Sucessful case:

BAG *** isc__nm_tcpdns_processbuffer len=11076 sock->buf_len=4344
BAG *** isc__nm_tcpdns_processbuffer len=11076 sock->buf_len=11078
BAG *** isc__nm_tcpdns_processbuffer len=9949 sock->buf_len=18639
BAG *** isc__nm_tcpdns_processbuffer len=9881 sock->buf_len=8688
BAG *** isc__nm_tcpdns_processbuffer len=9881 sock->buf_len=20091
BAG *** isc__nm_tcpdns_processbuffer len=10206 sock->buf_len=10208
BAG *** isc__nm_tcpdns_processbuffer len=9960 sock->buf_len=38346
BAG *** isc__nm_tcpdns_processbuffer len=9558 sock->buf_len=28384
BAG *** isc__nm_tcpdns_processbuffer len=10070 sock->buf_len=18824
BAG *** isc__nm_tcpdns_processbuffer len=10091 sock->buf_len=8752
BAG *** isc__nm_tcpdns_processbuffer len=10091 sock->buf_len=49718
BAG *** isc__nm_tcpdns_processbuffer len=10497 sock->buf_len=39625
BAG *** isc__nm_tcpdns_processbuffer len=10300 sock->buf_len=29126
BAG *** isc__nm_tcpdns_processbuffer len=10016 sock->buf_len=18824
BAG *** isc__nm_tcpdns_processbuffer len=10057 sock->buf_len=8806
BAG *** isc__nm_tcpdns_processbuffer len=10057 sock->buf_len=74342
BAG *** isc__nm_tcpdns_processbuffer len=10171 sock->buf_len=64283
BAG *** isc__nm_tcpdns_processbuffer len=10319 sock->buf_len=54110
BAG *** isc__nm_tcpdns_processbuffer len=9700 sock->buf_len=43789
BAG *** isc__nm_tcpdns_processbuffer len=9972 sock->buf_len=34087
BAG *** isc__nm_tcpdns_processbuffer len=10476 sock->buf_len=24113
BAG *** isc__nm_tcpdns_processbuffer len=13692 sock->buf_len=13635
BAG *** isc__nm_tcpdns_processbuffer len=13692 sock->buf_len=18409
BAG *** isc__nm_tcpdns_processbuffer len=4713 sock->buf_len=4715
Edited by Ondřej Surý
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information