dns zone failed to reload after upgrade to latest ISC Bind (Ubuntu package)
Summary
BIND version affected
named -V
BIND 9.16.48-Ubuntu (Extended Support Version) <id:0dab57e>
running on Linux x86_64 5.4.0-172-generic #190-Ubuntu SMP Fri Feb 2 23:24:22 UTC 2024
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-jSiMEl/bind9-9.16.48=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 9.4.0
compiled with OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
linked to OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
compiled with libuv version: 1.34.2
linked to libuv version: 1.34.2
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.4.2
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
**Upgraded yesterday from this version: **
named -V
BIND 9.16.1-Ubuntu (Stable Release) <id:d497c32>
running on Linux x86_64 5.4.0-162-generic #179-Ubuntu SMP Mon Aug 14 08:51:31 UTC 2023
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-uTvsKR/bind9-9.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 9.4.0
compiled with OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
linked to OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.4.2
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- Zone file that was loading previous to upgrade now fails when the following lines are present in zone:
$ORIGIN _domainkey.gvtc.communication.gvtc.net.
hs1-2082415 CNAME gvtc-communication-gvtc-net.hs17a.dkim.hubspotemail.net.
hs2-2082415 CNAME gvtc-communication-gvtc-net.hs17b.dkim.hubspotemail.net.
$ORIGIN gvtc.communication.gvtc.net.
TXT "v=spf1 include:2082415.spf07.hubspotemail.net -all"
$ORIGIN gvtc.net.
The above fails to load zone with these errors:
Feb 23 01:15:31 ns0-0 named[1003]: /etc/bind/masters/db.gvtc.net:167: record with inherited owner (hs2-2082415._domainkey.gvtc.communication.gvtc.net) immediately after $ORIGIN (gvtc.communication.gvtc.net)
Feb 23 01:15:31 ns0-0 named[1003]: dns_master_load: /etc/bind/masters/db.gvtc.net:167: hs2-2082415._domainkey.gvtc.communication.gvtc.net: CNAME and other data
Feb 23 01:15:31 ns0-0 named[1003]: zone gvtc.net/IN: loading from master file /etc/bind/masters/db.gvtc.net failed: CNAME and other data
Feb 23 01:15:31 ns0-0 named[1003]: zone gvtc.net/IN: not loaded due to errors.
Feb 23 01:15:54 ns0-0 named[1003]: received control channel command 'reload gvtc.net'
Feb 23 01:15:54 ns0-0 named[1003]: /etc/bind/masters/db.gvtc.net:168: record with inherited owner (hs2-2082415._domainkey.gvtc.communication.gvtc.net) immediately after $ORIGIN (gvtc.communication.gvtc.net)
Feb 23 01:15:54 ns0-0 named[1003]: dns_master_load: /etc/bind/masters/db.gvtc.net:168: hs2-2082415._domainkey.gvtc.communication.gvtc.net: CNAME and other data
Feb 23 01:15:54 ns0-0 named[1003]: zone gvtc.net/IN: loading from master file /etc/bind/masters/db.gvtc.net failed: CNAME and other data
Feb 23 01:15:54 ns0-0 named[1003]: zone gvtc.net/IN: not loaded due to errors.
Zone was last edited on Feb 13th, 2024 and loaded without issue on prior version of ISC BIND9
Edited the zone to show this construct:
$ORIGIN _domainkey.gvtc.communication.gvtc.net.
hs1-2082415 CNAME gvtc-communication-gvtc-net.hs17a.dkim.hubspotemail.net.
hs2-2082415 CNAME gvtc-communication-gvtc-net.hs17b.dkim.hubspotemail.net.
; $ORIGIN gvtc.communication.gvtc.net.
; TXT "v=spf1 include:2082415.spf07.hubspotemail.net -all"
$ORIGIN gvtc.net.
$ORIGIN communication.gvtc.net.
gvtc TXT "v=spf1 include:2082415.spf07.hubspotemail.net -all"
$ORIGIN gvtc.net.
Now zone file loads cleanly again.
If we remove comments on two lines and comment the replacement lines, the zone fails. Flip it back to this formation, zone loads.
Only thing different as far as we can tell was updating Bind9 via Ubuntu.