BIND 9.10.8 & 9.11.4 reload not competing with inline signing and auto-dnssec maintain (#435) · Issues · ISC Open Source Projects / BIND

BIND 9.10.8 & 9.11.4 reload not competing with inline signing and auto-dnssec maintain

Summary

In some cases reload does not complete for zones with inline signing and auto-dnssec maintain enabled. Repeatable with BIND 9.10.8 and 9.11.4. Reload works properly with BIND 9.10.4-P4.

Steps to reproduce

Unpack the attached tarball. It contains a named/ directory tree, complete with named and rndc configuration files, various versions of the test zone, a set of signing keys, and logs from our test runs. The named.conf file will need to be updated with the correct path for these options:

	directory               "/opt/named/db";
	pid-file                "/opt/named/etc/named.pid";
	dump-file               "/opt/named/db/named.dump";

Start two terminal windows and cd into the named directory in each of them. One is for running named; the other for updating zone files and running rndc. Use the following commands to trigger the the bug. The commands use the first named and rndc commands in your path.

  # in the named terminal
  cp db/stanford.edu.0 db/stanford.edu
  named -g -c etc/named.conf 2>&1 | tee -a named.log
  # wait for signing to complete. final signed zone serial will be 2018120219

  # in the rndc terminal
  # confirm signing is complete and check the zone status
  rndc -c etc/rndc.conf signing -list stanford.edu
  rndc -c etc/rndc.conf zonestatus stanford.edu

  # update the zone and reload (works, but doesn't send notifies)
  cp db/stanford.edu.1 db/stanford.edu
  rndc -c etc/rndc.conf reload
  rndc -c etc/rndc.conf zonestatus stanford.edu

  # update the zone again and reload (fails without error)
  cp db/stanford.edu.2 db/stanford.edu
  rndc -c etc/rndc.conf reload
  rndc -c etc/rndc.conf zonestatus stanford.edu

  # restart and find the journal is out of sync
  rndc -c etc/rndc.conf stop

  # start named again in the named terminal
  named -g -c etc/named.conf |& tee -a named.log

  # check status in the rndc terminal
  rndc -c etc/rndc.conf zonestatus stanford.edu

What is the current bug behavior?

The first reload successfully updates the signed zone but doesn't send notifies. On the next update named indicates a successful reload, but doesn't actually update the zone. Stopping via rndc works without errors, but when named is restarted the journal is out of sync with the zone.

What is the expected correct behavior?

Update the signed zone and send notifies.

Relevant configuration files

The attached tarball includes named.conf, rndc.conf, various versions of the test zone, and a set of signing keys.

Relevant logs and/or screenshots

The attached tarball includes a named/logs/ directory containing named logs from BIND 9.11.4 (bug), BIND 9.10.8 (bug), and 9.10.4-P5 (successful) test runs.

Possible fixes

Not fixes, just observations.

The bug isn't triggered if the zone is specified when reloading, i.e., "rndc reload stanford.edu". If the zone is specified every time all is well. If it's specified after the first time named fails to send notifies, the signed zone is updated properly, but no notifies are sent. bug-report.tar.gz

Edited Aug 16, 2018 by Rob