named occasionally stops zone resigning and reloading with inline signing (#438) · Issues · ISC Open Source Projects / BIND

named occasionally stops zone resigning and reloading with inline signing

bind version in use:

BIND 9.12.1-P2 
running on FreeBSD amd64 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--enable-threads' '--with-tuning=default' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CC=clang' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=clang-cpp'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 4.0.0 (tags/RELEASE_400/final 297347)
compiled with OpenSSL version: OpenSSL 1.0.2k-freebsd  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2o-freebsd  27 Mar 2018
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with libjson-c version: 0.13
linked to libjson-c version: 0.13
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Summary

named (9.11 or 9.12) sometimes fails to load a changed master file and to resign the zone after a rndc reload. To recover from this, the journal files must be deleted. The issue has been discussed here: https://marc.info/?l=bind-users&m=152837141204255&w=2 Zone file and config file available on request.

Steps to reproduce

Add a RR and set the SOA serial to a new value (1st change today would be 2018072500) in master file.
Give a rndc reload command.
Query for SOA and added RR with dig.
- Expected changes are missing.
Give a rndc zonestatus.
- "last loaded:" shows old value.
- "serial:" shows 2018072500
- "signed serial:" shows 2018072500

Relevant scripts

Keys, sigs and unattended maintenance of DS-RR upstream are handled by this script: https://github.com/mc3/DSKM using dnssec-keygen, nssec-dsfromkey and dnssec-settime.

Relevant configuration files

relevant part of server config file:

options  {

	serial-update-method date;

};		// options


relevant part of zone file:

zone "lrau.net" in    {
    type master;
    file "master/signed/lrau.net/lrau.net.zone";
    key-directory "master/signed/lrau.net/";
    auto-dnssec maintain;
    inline-signing yes;
    dnssec-secure-to-insecure no;
    also-notify    {
    	1.2.3.4;
    	5.6.7.8;
       };
   };

Transcript of bug occurence today

prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072403
signed serial: 2018072430
nodes: 89
last loaded: Tue, 24 Jul 2018 19:08:01 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 11:08:02 GMT
next resign node: lrau.net/MX
next resign time: Thu, 16 Aug 2018 06:09:55 GMT
dynamic: no
reconfigurable via modzone: no

diff lrau.net.zone lrau.net.zone.back 
7c7
< 				2018072500	; Serial number
---
> 				2018072403	; Serial number
229,230c229
< voip-gw1            IN  A       91.216.35.210
< 					IN	AAAA	2a05:bec0:26:18::210
---
> voip-gw1            IN A        91.216.35.210

prompt: rndc reload
server reload successful

relevant log entries:

13:00:03 zone lrau.net/IN (signed): next key event: 25-Jul-2018 14:00:31.162
13:00:03 reloading zones succeeded
13:00:03 zone lrau.net/IN (unsigned): loaded serial 2018072500
13:00:03 zone lrau.net/IN (signed): serial 2018072500 (unsigned 2018072500)
13:00:03 all zones loaded

prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072500
signed serial: 2018072500
nodes: 89
last loaded: Tue, 24 Jul 2018 19:08:01 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 12:00:31 GMT
next resign node: lrau.net/MX
next resign time: Thu, 16 Aug 2018 06:09:55 GMT
dynamic: no

prompt: ls -l
total 181
-rw-r--r--  1 bind  pki_op    536 May 11 15:55 Klrau.net.+008+02496.key
-rw-------  1 bind  pki_op   1060 May 11 15:55 Klrau.net.+008+02496.private
-rw-r--r--  1 bind  pki_op    711 May 27 00:55 Klrau.net.+008+24919.key
-rw-------  1 bind  pki_op   1824 May 27 00:55 Klrau.net.+008+24919.private
-rw-r--r--  1 bind  pki_op    537 Jul 10 15:55 Klrau.net.+008+60714.key
-rw-------  1 bind  pki_op   1060 Jul 10 15:55 Klrau.net.+008+60714.private
drwxr-x---  2 bind  wheel       3 Nov 15  2012 RCS
-rw-rw-r--  1 bind  pki_op      0 Jun 15 17:05 acme_challenges.inc
-rw-rw-r--  1 bind  pki_op      0 Aug  6  2016 caldav.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op      0 Aug  6  2016 caldav3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op      0 Aug  6  2016 caldav4.lrau.net.tlsa
-rw-r-----  1 bind  wheel     456 Aug 14  2012 dnssec-conf-lrau.net
-rw-r-----  1 bind  wheel     308 Jul 25 11:55 dnssec-stat-lrau.net
-rw-rw-r--  1 bind  pki_op    109 Jun 13 20:05 git3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    109 Jun 13 20:05 git4.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    218 Jun  6 18:05 imap.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    220 Jun  6 18:05 imap3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    220 Jun  6 18:05 imap4.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    110 Jun 14 12:05 lists3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    110 Jun 14 12:05 lists4.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op   6611 Jul 25 12:52 lrau.net.zone
-rw-r--r--  1 root  pki_op   6577 Jul 25 12:25 lrau.net.zone.back
-rw-r--r--  1 bind  pki_op    512 Jul 24 21:08 lrau.net.zone.jbk
-rw-r--r--  1 bind  pki_op    731 Jul 25 13:00 lrau.net.zone.jnl
-rw-r--r--  1 bind  pki_op  50361 Jul 24 21:19 lrau.net.zone.signed
-rw-r--r--  1 bind  pki_op  58381 Jul 25 13:00 lrau.net.zone.signed.jnl
-rw-rw-r--  1 bind  pki_op    112 Jun  6 19:05 mailout3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    112 Jun  6 19:05 mailout4.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    107 Jun  6 21:05 mx3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op    107 Jun  6 21:05 mx4.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op      0 Nov  1  2016 timap.lrau.net.tlsa
-rw-rw-r--  1 root  pki_op    332 Jun 22 13:05 timap3.lrau.net.tlsa
-rw-rw-r--  1 bind  pki_op      0 Oct 29  2016 tmx.lrau.net.tlsa
-rw-rw-r--  1 root  pki_op    108 Jun 22 13:05 tmx3.lrau.net.tlsa

promt:	named-checkzone lrau.net master/signed/lrau.net/lrau.net.zone
zone lrau.net/IN: loaded serial 2018072500
OK

prompt: service named stop
Stopping named.
Waiting for PIDS: 54208.

prompt: rm *.jbk *.jnl *.signed
prompt: service named start
Starting named.

prompt: rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc
serial: 2018072500
signed serial: 2018072527
nodes: 89
last loaded: Wed, 25 Jul 2018 11:34:00 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 25 Jul 2018 12:34:00 GMT
next resign node: uplink.bu.lrau.net/NSEC
next resign time: Thu, 16 Aug 2018 22:44:02 GMT
dynamic: no
reconfigurable via modzone: no
prompt:

Edited Jul 27, 2018 by Mark Andrews