BIND-9.18.9: "add-soa" modification in RPZ requires restart of named
Summary
Changes in RPZ (for example add-soa true|false
) requires a restart of named
; rndc reload
isn't sufficient.
BIND version used
named -V
BIND 9.18.9 (Stable Release) <id:e831507>
running on Linux x86_64 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 20:34:55 UTC 2021
built by make with '--prefix=/usr/local/bind-9.18.9' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' '--enable-singletrace' '--enable-dnstap' 'PKG_CONFIG_PATH=/usr/local/fstrm/lib/pkgconfig/:/usr/local/h2o/lib64/pkgconfig'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.41.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /opt/chroot/bind/etc/named/named.conf
rndc configuration: /opt/chroot/bind/etc/named/rndc.conf
DNSSEC root key: /opt/chroot/bind/etc/named/bind.keys
nsupdate session key: /opt/chroot/bind/var/run/named/session.key
named PID file: /opt/chroot/bind/var/run/named/named.pid
named lock file: /opt/chroot/bind/var/run/named/named.lock
Steps to reproduce
rpz-configuration with "add-soa true"
response-policy {
zone "blacklist-rpz.arcade.ch" policy nxdomain;
} qname-wait-recurse no
break-dnssec no
add-soa true
nsip-wait-recurse no;
...
...
query the server for a blacklisted record (isc.org in this example):
$ dig @test isc.org
; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7485a1057ec2eed50100000063997e60a1a3962d023c7214 (good)
;; QUESTION SECTION:
;isc.org. IN A
;; ADDITIONAL SECTION:
blacklist-rpz.arcade.ch. 1 IN SOA bastelwurstel.arcade.ch. someone.arcade.ch. 2021102103 28800 7200 604800 900
;; Query time: 16 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:42:24 CET 2022
;; MSG SIZE rcvd: 145
Now changing the "add-soa"-field from "true" to "false" and run "rndc reload"
response-policy {
zone "blacklist-rpz.arcade.ch" policy nxdomain;
} qname-wait-recurse no
break-dnssec no
add-soa false
nsip-wait-recurse no;
...
...
$ rndc reload
server reload successful
query the same record again:
$ dig @test isc.org
; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 93a808f18eed863a0100000063997eca6ffe934bf7095a46 (good)
;; QUESTION SECTION:
;isc.org. IN A
;; ADDITIONAL SECTION:
blacklist-rpz.arcade.ch. 1 IN SOA bastelwurstel.arcade.ch. someone.arcade.ch. 2021102103 28800 7200 604800 900
;; Query time: 20 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:44:10 CET 2022
;; MSG SIZE rcvd: 145
The SOA record is still here.
Only after restarting BIND, then named
will prevent sending the SOA record:
$ systemctl restart named
Query the rpz-listed domain again:
$ dig @test isc.org
; <<>> DiG 9.18.9 <<>> @test isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19144
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a9e46dda3d5901550100000063997fd7ae33532ad2eb5235 (good)
;; QUESTION SECTION:
;isc.org. IN A
;; Query time: 16 msec
;; SERVER: 10.100.102.21#53(test) (UDP)
;; WHEN: Wed Dec 14 08:48:39 CET 2022
;; MSG SIZE rcvd: 64
What is the current bug behavior?
Only a complete restart of named will cause the changes to take effect in a rpz configuration (at least for add-soa
).
What is the expected correct behavior?
A simple rndc reload
should be sufficient to cause the changes to take effect.