Skip to content

BIND-9.18.9: "add-soa" modification in RPZ requires restart of named

Summary

Changes in RPZ (for example add-soa true|false) requires a restart of named; rndc reload isn't sufficient.

BIND version used

named -V
BIND 9.18.9 (Stable Release) <id:e831507>
running on Linux x86_64 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 20:34:55 UTC 2021
built by make with  '--prefix=/usr/local/bind-9.18.9' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' '--enable-singletrace' '--enable-dnstap' 'PKG_CONFIG_PATH=/usr/local/fstrm/lib/pkgconfig/:/usr/local/h2o/lib64/pkgconfig'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS  21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS  21 Apr 2020
compiled with libuv version: 1.41.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no

default paths:
  named configuration:  /opt/chroot/bind/etc/named/named.conf
  rndc configuration:   /opt/chroot/bind/etc/named/rndc.conf
  DNSSEC root key:      /opt/chroot/bind/etc/named/bind.keys
  nsupdate session key: /opt/chroot/bind/var/run/named/session.key
  named PID file:       /opt/chroot/bind/var/run/named/named.pid
  named lock file:      /opt/chroot/bind/var/run/named/named.lock

Steps to reproduce

rpz-configuration with "add-soa true"

        response-policy {
                zone "blacklist-rpz.arcade.ch" policy nxdomain;
         } qname-wait-recurse no
           break-dnssec no
          add-soa true
          nsip-wait-recurse no;
...
...

query the server for a blacklisted record (isc.org in this example):

$ dig @test isc.org

; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7485a1057ec2eed50100000063997e60a1a3962d023c7214 (good)
;; QUESTION SECTION:
;isc.org.			IN	A

;; ADDITIONAL SECTION:
blacklist-rpz.arcade.ch. 1	IN	SOA	bastelwurstel.arcade.ch. someone.arcade.ch. 2021102103 28800 7200 604800 900

;; Query time: 16 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:42:24 CET 2022
;; MSG SIZE  rcvd: 145

Now changing the "add-soa"-field from "true" to "false" and run "rndc reload"

        response-policy {
                zone "blacklist-rpz.arcade.ch" policy nxdomain;
         } qname-wait-recurse no
           break-dnssec no
          add-soa false
          nsip-wait-recurse no;
...
...
$ rndc reload
server reload successful

query the same record again:

$ dig @test isc.org

; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 93a808f18eed863a0100000063997eca6ffe934bf7095a46 (good)
;; QUESTION SECTION:
;isc.org.			IN	A

;; ADDITIONAL SECTION:
blacklist-rpz.arcade.ch. 1	IN	SOA	bastelwurstel.arcade.ch. someone.arcade.ch. 2021102103 28800 7200 604800 900

;; Query time: 20 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:44:10 CET 2022
;; MSG SIZE  rcvd: 145

The SOA record is still here.

Only after restarting BIND, then named will prevent sending the SOA record:

$ systemctl restart named

Query the rpz-listed domain again:

$ dig @test isc.org

; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19144
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a9e46dda3d5901550100000063997fd7ae33532ad2eb5235 (good)
;; QUESTION SECTION:
;isc.org.			IN	A

;; Query time: 16 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:48:39 CET 2022
;; MSG SIZE  rcvd: 64

What is the current bug behavior?

Only a complete restart of named will cause the changes to take effect in a rpz configuration (at least for add-soa).

What is the expected correct behavior?

A simple rndc reload should be sufficient to cause the changes to take effect.

Relevant configuration files

Relevant logs and/or screenshots

Possible fixes

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information