Skip to content

named stops responding if an HTTP/2 listener is disabled whilst running

Summary

BIND version used

BIND 9.18.14 (Extended Support Version) id:2c5e22f running on Darwin x86_64 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64 built by make with '--prefix=/usr/local/Cellar/bind/9.18.14' '--sysconfdir=/usr/local/etc/bind' '--localstatedir=/usr/local/var' '--with-json-c' '--with-libidn2=/usr/local/opt/libidn2' '--with-openssl=/usr/local/opt/openssl@3' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/libidn2/lib/pkgconfig:/usr/local/opt/libnghttp2/lib/pkgconfig:/usr/local/opt/libuv/lib/pkgconfig:/usr/local/opt/openssl@3/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/13' compiled by CLANG Apple LLVM 14.0.3 (clang-1403.0.22.14.1) compiled with OpenSSL version: OpenSSL 3.1.0 14 Mar 2023 linked to OpenSSL version: OpenSSL 3.1.0 14 Mar 2023 compiled with libuv version: 1.44.2 linked to libuv version: 1.44.2 compiled with libnghttp2 version: 1.52.0 linked to libnghttp2 version: 1.52.0 compiled with libxml2 version: 2.9.13 linked to libxml2 version: 20913 compiled with json-c version: 0.16 linked to json-c version: 0.16 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 DS algorithms: SHA-1 SHA-256 SHA-384 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 TKEY mode 2 support (Diffie-Hellman): yes TKEY mode 3 support (GSS-API): yes

default paths: named configuration: /usr/local/etc/bind/named.conf rndc configuration: /usr/local/etc/bind/rndc.conf DNSSEC root key: /usr/local/etc/bind/bind.keys nsupdate session key: /usr/local/var/run/named/session.key named PID file: /usr/local/var/run/named/named.pid named lock file: /usr/local/var/run/named/named.lock

Steps to reproduce

Start named with this:

tls tlsconf {
	key-file "/usr/local/var/named/key.pem";
	cert-file "/usr/local/var/named/cert.pem";
listen-on port 8888 tls tlsconf http httpsconf { 127.0.0.1; };

Comment the listen-on line then do rndc reconfig. named stops responding, both to queries and on the command channel

What is the current bug behavior?

named stops responding to queries or rndc commands.

What is the expected correct behavior?

named should still respond to commands and non-TLS queries.

Relevant configuration files

controls {
	inet 127.0.0.2 port 953 allow {
		127.0.0.0/24;
	} keys {
		"rndc-key";
	};
};
http "httpsconf" {
};
options {
	bindkeys-file "bind.keys";
	directory "/usr/local/var/named";
	listen-on  {
		"any";
	};
	listen-on port 8888 tls "tlsconf" http "httpsconf" {
		"any";
	};
	dnssec-accept-expired no;
	dnssec-validation yes;
	check-dup-records warn;
	dnssec-dnskey-kskonly no;
	dnssec-loadkeys-interval 60;
	key-directory "keys";
	update-check-ksk yes;
};
tls "tlsconf" {
	key-file "/usr/local/var/named/key.pem";
	cert-file "/usr/local/var/named/cert.pem";
	prefer-server-ciphers no;
	session-tickets no;
};
key "rndc-key" {
	algorithm "hmac-sha256";
	secret "????????????????????????????????????????????";
};
zone "tma.com" in {
	type master;
	file "db.tma.com";
	allow-update {
		"any";
	};
	notify yes;
};
zone "0.0.127.in-addr.arpa" in {
	type master;
	file "db.127.0.0";
};

Relevant logs and/or screenshots

Apart from the usual logs you get with a reconfig, this is all that appears to say that the TLS listener now isn't.

15-May-2023 21:20:54.721 network: info: no longer listening on 127.0.0.1#8888

Possible fixes

Some experimentation shows this to be related to DoH. Both of the following changes/reconfig do not cause the server to hang:

Start with:

listen-on port 8888 tls "tlsconf" http "httpsconf" {
	"any";
};

Remove the http option and reconfig:

listen-on port 8888 tls "tlsconf" {
	"any";
};

The server is still responsive and logs report that the TLS context has been updated, rather than is no longer listening:

16-May-2023 08:33:43.130 network: info: updating TLS context on 127.0.0.1#8888
16-May-2023 08:33:43.130 network: info: updating TLS context on 127.0.0.2#8888
16-May-2023 08:33:43.130 network: info: updating TLS context on 192.168.1.236#8888

This change is also reversible. The http option can be re-added and a reconfig is successful, wth similar log messages.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information