key-directory directive appears to be ignored/lost
Summary
named is currently spamming my logs (several times a second) with:
01-Oct-2023 23:48:04.780 general: warning: dns_dnssec_findzonekeys: error reading K118.35.155.90.in-addr.arpa.+013+61902.private: file not foundI think this started when I upgraded to 9.19.17-1-Debian. (I only noticed after it filled up / with error logs which was several hours later)
Previously the lines looked like:
2023-09-17T02:39:40.407470+01:00 windy named[3479]: dns_dnssec_keylistfromrdataset: error reading /var/lib/bind/keys/K118.35.155.90.in-addr.arpa.+008+45120.private: file not foundAnd instead of it doing it for this one zone, it's now doing it for all zones (including ones that have valid keys in that directory).
Stracing named, shows it's attempting to:
[pid 2091764] openat(AT_FDCWD, "K118.35.155.90.in-addr.arpa.+008+25456.key", O_RDONLY) = -1 ENOENT (No such file or directory)which is the wrong directory, it should be looking in /var/lib/bind/keys/. Playing around with gdb, zone->keydirectory appears to be NULL, but it does seem to be attempting to set it correctly at startup. I can't find where zone->keydirectory becomes NULL.
BIND version used
# named -V
BIND 9.19.17-1-Debian (Development Release) <id:>
running on Linux x86_64 6.4.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.4.4-1 (2023-07-23)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.19.17=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 13.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.14.0
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.56.0
linked to libnghttp2 version: 1.56.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIPSteps to reproduce
It appears running this config shows it attempting to load keys from the wrong directory.
What is the current bug behavior?
bind attempts to load keys from it's current working directory.
What is the expected correct behavior?
bind attempts to load keys from the directory specified in key-directory
Relevant configuration files
I use the key-directory within the options block, I've tried adding it to the zone blocks too but that doesn't seem to help.
acl "recursive" {
127.0.0.0/8;
90.155.35.112/28;
213.49.232.21/32;
192.168.0.0/16;
2001:8b0:8dd::/48;
};
dnssec-policy "lorier" {
dnskey-ttl PT1H;
keys {
csk key-directory lifetime unlimited algorithm ecdsa256;
};
max-zone-ttl P1D;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
publish-safety PT1H;
purge-keys P90D;
retire-safety PT1H;
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
zone-propagation-delay PT5M;
};
logging {
channel "simple_logging" {
file "/var/log/named/named.log" versions 5 size 10485760;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "extra_logging" {
file "/var/log/named/extra.log" versions 5 size 10485760;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" {
"simple_logging";
};
category "unmatched" {
"extra_logging";
};
};
options {
directory "/var/cache/bind";
listen-on-v6 {
"any";
};
allow-query-cache {
"recursive";
};
allow-recursion {
"recursive";
};
auth-nxdomain no;
dnssec-validation auto;
key-directory "/var/lib/bind/keys";
};
key "certbot-key" {
algorithm "hmac-sha512";
secret "????????????????????????????????????????????????????????????????????????????????????????";
};
key "ddns-key.snow.lorier.net" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "ddns-key.heatwave.lorier.net" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
zone "lorier.net" {
type master;
file "/var/lib/bind/db.lorier.net.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "certbot-key" name "_acme-challenge.dmz.lorier.net." "txt";
grant "ddns-key.snow.lorier.net" name "snow.lorier.net." "ANY";
grant "ddns-key.heatwave.lorier.net" name "heatwave.lorier.net" "ANY";
};
allow-transfer {
64.62.231.249/32;
104.237.156.70/32;
114.23.226.193/32;
127.0.0.1/32;
131.203.119.149/32;
202.37.129.62/32;
};
also-notify {
64.62.231.249;
104.237.156.70;
114.23.226.193;
127.0.0.1;
131.203.119.149;
202.37.129.62;
};
dnssec-policy "lorier";
key-directory "/var/lib/bind/keys";
notify-source 90.155.35.114;
};
zone "_acme-challenge.lorier.net" {
type master;
file "/var/lib/bind/db._acme-challenge.lorier.net.signed";
update-policy {
grant "certbot-key" name "_acme-challenge.lorier.net." "txt";
};
dnssec-policy "lorier";
key-directory "/var/lib/bind/keys";
};
zone "int.lorier.net" {
type master;
file "/var/lib/bind/db.int.lorier.net.signed";
update-policy {
grant "local-ddns" zonesub "ANY";
};
dnssec-policy "lorier";
};
zone "112.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.112.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "113.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.113.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "114.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.114.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "115.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.115.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "116.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.116.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "117.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.117.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "118.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.118.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "119.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.119.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "120.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.120.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "121.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.121.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "122.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.122.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "123.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.123.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "124.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.124.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "125.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.125.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "126.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.126.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "127.35.155.90.in-addr.arpa" {
type master;
file "/var/lib/bind/db.127.35.155.90.in-addr.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "0.0.0.0.d.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa" {
type master;
file "/var/lib/bind/db.0.0.0.0.d.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "8.e.9.b.d.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa" {
type master;
file "/var/lib/bind/db.8.e.9.b.d.d.8.0.0.b.8.0.1.0.0.2.ip6.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
grant "*" tcp-self "." "PTR";
};
dnssec-policy "lorier";
};
zone "0.b.8.0.1.0.0.2.ip6.arpa" {
type master;
file "/var/lib/bind/db.0.b.8.0.1.0.0.2.ip6.arpa.signed";
update-policy {
grant "local-ddns" zonesub "any";
};
dnssec-policy "lorier";
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Relevant logs and/or screenshots
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K121.35.155.90.in-addr.arpa.+013+29194.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K117.35.155.90.in-addr.arpa.+013+42622.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K123.35.155.90.in-addr.arpa.+013+44371.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K113.35.155.90.in-addr.arpa.+013+39511.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K118.35.155.90.in-addr.arpa.+013+61902.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K_acme-challenge.lorier.net.+013+59310.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K123.35.155.90.in-addr.arpa.+013+44371.private: file not found
01-Oct-2023 23:54:02.479 general: warning: dns_dnssec_findzonekeys: error reading K121.35.155.90.in-addr.arpa.+013+29194.private: file not foundNote that it's writing out duplicate messages multiple times a second.