Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 102
    • Merge requests 102
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #346
Closed
Open
Created Jun 18, 2018 by Ghost User@ghost

Zone Resigning using bind's auto-dnssec maintaine feature does not work probably

Hi,

we are using bind's auto-dnssec maintaine combined with in-line signing. Infrequently one (up now it was always just one at a time) is not signed correctly resulting in resolution failures for dnssec aware servers / clients.

Bind Version use:

# named -V
BIND 9.11.2-P1 <id:2c2bc60>
running on Linux x86_64 4.14.43-gentoo #3 SMP Thu May 24 12:58:31 CEST 2018
built by make with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads' '--without-dlz-bdb' '--without-dlopen' '--without-dlz-filesystem' '--without-dlz-stub' '--without-gost' '--without-gssapi' '--without-idn' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--without-libxml2' '--with-zlib' '--with-randomdev=/dev/random' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=nocona -O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
compiled by GCC 5.4.0
compiled with OpenSSL version: OpenSSL 1.0.2n  7 Dec 2017
linked to OpenSSL version: OpenSSL 1.0.2n  7 Dec 2017
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled   

Summary

Infrequently bind does not resign a zone file correctly.

Steps to reproduce

Currently can't tell, the behaviour is infrequent and I can't reproduce the behaviour manually.

What is the current bug behavior?

Bind does not resign the zones correctly, resulting in resolution failures due to dnssec validation failures.

What is the expected correct behavior?

All zones should be resigned correctly and produce dnssec aware resolvable RR's.

Relevant configuration files

All zones are configured like this:

	zone "dnssec.test" in {
		type master;
		file "master/internet/dnssec.test.zone";
		auto-dnssec maintain;
		inline-signing yes;
		key-directory "keys/dnssec.test/";
	};

Relevant logs and/or screenshots

Can't identify relevant information's in the logs, I'm currently trying to forcely reproduce the problem with higher log level.

Possible fixes

Once a zone was not resigned probably, increasing the serial number force a resign and the zone can be resolved correctly again.

Assignee
Assign to
Time tracking