Skip to content

GitLab

Closed
Created by Ghost User@ghost

Zone Resigning using bind's auto-dnssec maintaine feature does not work probably

Hi,

we are using bind's auto-dnssec maintaine combined with in-line signing. Infrequently one (up now it was always just one at a time) is not signed correctly resulting in resolution failures for dnssec aware servers / clients.

Bind Version use:

# named -V
BIND 9.11.2-P1 <id:2c2bc60>
running on Linux x86_64 4.14.43-gentoo #3 SMP Thu May 24 12:58:31 CEST 2018
built by make with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads' '--without-dlz-bdb' '--without-dlopen' '--without-dlz-filesystem' '--without-dlz-stub' '--without-gost' '--without-gssapi' '--without-idn' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--without-libxml2' '--with-zlib' '--with-randomdev=/dev/random' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=nocona -O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
compiled by GCC 5.4.0
compiled with OpenSSL version: OpenSSL 1.0.2n  7 Dec 2017
linked to OpenSSL version: OpenSSL 1.0.2n  7 Dec 2017
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Summary

Infrequently bind does not resign a zone file correctly.

Steps to reproduce

Currently can't tell, the behaviour is infrequent and I can't reproduce the behaviour manually.

What is the current bug behavior?

Bind does not resign the zones correctly, resulting in resolution failures due to dnssec validation failures.

What is the expected correct behavior?

All zones should be resigned correctly and produce dnssec aware resolvable RR's.

Relevant configuration files

All zones are configured like this:

	zone "dnssec.test" in {
		type master;
		file "master/internet/dnssec.test.zone";
		auto-dnssec maintain;
		inline-signing yes;
		key-directory "keys/dnssec.test/";
	};

Relevant logs and/or screenshots

Can't identify relevant information's in the logs, I'm currently trying to forcely reproduce the problem with higher log level.

Possible fixes

Once a zone was not resigned probably, increasing the serial number force a resign and the zone can be resolved correctly again.