BIND resolver locks up
Summary
With dnssec-validation enabled (auto), after ~15 min CPU utilization shoots up and named process becomes unresponsive. Only solution is kill -9 and restart it.
BIND version affected
BIND 9.19.22 (Development Release) <id:d01a4e5>
running on Linux x86_64 6.7.10-gentoo-dist-hardened #1 SMP PREEMPT_DYNAMIC Sat Mar 16 10:24:08 CET 2024
built by make with '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--datarootdir=/usr/share' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/bind-9.19.22' '--htmldir=/usr/share/doc/bind-9.19.22/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-full-report' '--without-readline' '--with-openssl=/usr' '--with-jemalloc' '--with-json-c' '--with-zlib' '--disable-dnsrps' '--disable-dnstap' '--enable-doh' '--with-libnghttp2' '--disable-fixed-rrset' '--disable-static' '--disable-geoip' '--without-maxminddb' '--with-gssapi' '--with-libidn2' '--without-lmdb' '--with-libxml2' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe -fomit-frame-pointer -flto -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs' 'PKG_CONFIG_PATH=/var/tmp/portage/net-dns/bind-9.19.22/temp/python3.11/pkgconfig' 'PYTHON=/usr/bin/python3.11'
compiled by GCC 13.2.1 20240210
compiled with OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
linked to OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.14.0
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.60.0
linked to libnghttp2 version: 1.60.0
compiled with libxml2 version: 2.12.6
linked to libxml2 version: 21206
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
Steps to reproduce
- Use attached configuration file
- Start BIND server with command: `/usr/sbin/named -u named'
- Clients on local network using recursion, it only takes ~15min for bug to show.
What is the current bug behavior?
Named process locks up and stops responding 'named 31677 158 0.2 469800 45472 ? Rsl 09:12 26:18 /usr/sbin/named -u named', utilization 158...
What is the expected correct behavior?
Named process not locking up? There was no such issue in 9.19.21 or there isnt one in 9.18.25.
Relevant configuration files
key "dhcp" {
algorithm hmac-sha512;
secret "";
};
key "acmechallenge" {
algorithm hmac-sha512;
secret "";
};
tls "local-tls" {
cert-file "/etc/acme-sh/domain.net_ecc/fullchain.cer";
key-file "/etc/acme-sh/domain.net_ecc/domain.net.key";
protocols { TLSv1.2; TLSv1.3; };
ciphers "EECDH+AES256+AESGCM:EECDH+CHACHA20:EECDH+AES128+AESGCM:EECDH+AES256+SHA384";
prefer-server-ciphers yes;
session-tickets no;
};
masters "notifyhenet" {
216.218.130.2;
2001:470:100::2;
};
acl "xferhenet" {
216.218.133.2;
2001:470:600::2;
};
acl "trusted" {
127.0.0.1;
10.0.0.0/16;
IPV4;
::1;
IPV6_SUBNET/56;
};
dnssec-policy "standard" {
keys {
ksk lifetime unlimited algorithm ecdsap256sha256;
zsk lifetime 90d algorithm ecdsap256sha256;
};
dnskey-ttl 86400;
publish-safety 7d;
retire-safety 7d;
purge-keys 7d;
nsec3param iterations 0 optout no salt-length 0;
};
options {
directory "/var/bind";
pid-file "/run/named/named.pid";
server-id "ns.domain.net";
version none;
listen-on { 127.0.0.1; IPV4; 10.0.0.1; };
listen-on-v6 { ::1; IPV6; };
listen-on port 853 tls local-tls { 127.0.0.1; IPV4; 10.0.0.1; };
listen-on-v6 port 853 tls local-tls { ::1; IPV6; };
allow-query { trusted; };
allow-query-cache { trusted; };
allow-recursion { trusted; };
allow-transfer { trusted; };
allow-update { none; };
forward first;
forwarders port 853 tls local-tls {
1.1.1.1; 2606:4700:4700::1111; // Cloudflare DNS
1.0.0.1; 2606:4700:4700::1001; // Cloudflare DNS
/* 8.8.8.8; 2001:4860:4860::8888; // Google DNS
8.8.4.4; 2001:4860:4860::8844; // Google DNS */
};
/* forwarders {
1.1.1.1; 2606:4700:4700::1111; // Cloudflare DNS
1.0.0.1; 2606:4700:4700::1001; // Cloudflare DNS
84.255.209.79; 2a01:260:1:2::3; // T-2 DNS
84.255.210.79; 2a01:260:1:3::3; // T-2 DNS
}; */
bindkeys-file "/etc/bind/bind.keys";
dnssec-validation auto; // auto - check from time to time, a lot of broken dnssec mess
validate-except {
plex.tv;
anker-in.com;
};
max-cache-size 512M;
edns-udp-size 1232;
max-udp-size 1232;
ixfr-from-differences yes;
};
logging {
channel info_log {
file "/var/log/named/named.log";
print-time yes;
print-severity yes;
print-category yes;
severity info;
};
channel notice_log {
file "/var/log/named/named.log";
print-time yes;
print-severity yes;
print-category yes;
severity notice;
};
category default { info_log; };
category lame-servers { notice_log; };
category security { notice_log; };
};
//controls { };
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; ::1; } keys { "rndc-key"; };
inet ::1 port 953 allow { 127.0.0.1; ::1; } keys { "rndc-key"; };
};
/*
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; ::1; };
inet ::1 port 8053 allow { 127.0.0.1; ::1; };
};
*/
zone "localhost" {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" {
type master;
file "pri/127.zone";
notify no;
};
zone "0.10.in-addr.arpa" {
type master;
file "dyn/0.10.in-addr.arpa.zone";
notify no;
allow-update { key dhcp; };
};
zone "ipv6subnet.ip6.arpa" {
type master;
file "dyn/ipv6subnet.ip6.arpa.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
allow-update { key dhcp; };
key-directory "keys/ipv6subnet.ip6.arpa";
dnssec-policy standard;
inline-signing yes;
};
zone "domain.net" {
type master;
file "pri/domain.net.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
key-directory "keys/domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "lan.domain.net" {
type master;
file "dyn/lan.domain.net.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
allow-update { key dhcp; };
key-directory "keys/lan.domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "acme-challenge.domain.net" {
type master;
file "dyn/acme-challenge.domain.net.zone";
notify no;
allow-query { any; };
allow-update { key acmechallenge; };
key-directory "keys/acme-challenge.domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "dnswl.org" {
type forward;
forwarders { };
};
zone "uribl.com" {
type forward;
forwarders { };
};
zone "surbl.org" {
type forward;
forwarders { };
};
Relevant logs
From 9:12 to 9:28 was session with broken behavior, there is nothing in logs, session that starts at 9:28 had dnssec-validation turned off (no).
26-Mar-2024 09:12:02.547 general: notice: command channel listening on 127.0.0.1#953
26-Mar-2024 09:12:02.547 general: notice: command channel listening on ::1#953
26-Mar-2024 09:12:02.547 network: info: updating TLS context on 127.0.0.1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on IPV4#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on 10.0.0.1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on ::1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on IPV6#853
26-Mar-2024 09:12:02.547 zoneload: info: managed-keys-zone: loaded serial 259
26-Mar-2024 09:12:02.550 zoneload: info: zone 0.10.in-addr.arpa/IN: loaded serial 2024022951
26-Mar-2024 09:12:02.550 zoneload: info: zone localhost/IN: loaded serial 2008122601
26-Mar-2024 09:12:02.550 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 2008122601
26-Mar-2024 09:12:02.550 zoneload: info: zone domain.net/IN (unsigned): loaded serial 2024022900
26-Mar-2024 09:12:02.550 zoneload: info: zone ipv6subnet.ip6.arpa/IN (unsigned): loaded serial 2024022843
26-Mar-2024 09:12:02.550 zoneload: info: zone acme-challenge.domain.net/IN (unsigned): loaded serial 2024022800
26-Mar-2024 09:12:02.550 zoneload: info: zone domain.net/IN (signed): loaded serial 2024022983 (DNSSEC signed)
26-Mar-2024 09:12:02.550 zoneload: info: zone lan.domain.net/IN (unsigned): loaded serial 2024023082
26-Mar-2024 09:12:02.550 zoneload: info: zone acme-challenge.domain.net/IN (signed): loaded serial 2024022817 (DNSSEC signed)
26-Mar-2024 09:12:02.550 general: info: zone acme-challenge.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 zoneload: info: zone ipv6subnet.ip6.arpa/IN (signed): loaded serial 2024022872 (DNSSEC signed)
26-Mar-2024 09:12:02.550 dnssec: info: zone acme-challenge.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.550 zoneload: info: zone lan.domain.net/IN (signed): loaded serial 2024023184 (DNSSEC signed)
26-Mar-2024 09:12:02.550 general: notice: all zones loaded
26-Mar-2024 09:12:02.550 general: info: zone ipv6subnet.ip6.arpa/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notifies (serial 2024022872)
26-Mar-2024 09:12:02.550 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.550 general: notice: FIPS mode is disabled
26-Mar-2024 09:12:02.550 general: notice: running
26-Mar-2024 09:12:02.550 general: info: zone domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 general: info: zone lan.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 notify: info: zone domain.net/IN (signed): sending notifies (serial 2024022983)
26-Mar-2024 09:12:02.550 dnssec: info: zone domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.553 dnssec: info: zone domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.553 notify: info: zone lan.domain.net/IN (signed): sending notifies (serial 2024023184)
26-Mar-2024 09:12:02.553 dnssec: info: zone lan.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.557 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.557 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.557 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.560 dnssec: info: zone acme-challenge.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.560 dnssec: info: zone lan.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.553
26-Mar-2024 09:12:02.563 notify: info: zone domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.563 notify: info: zone domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.563 notify: info: zone lan.domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.563 notify: info: zone lan.domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.573 dnssec: info: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
26-Mar-2024 09:28:47.548 general: notice: command channel listening on 127.0.0.1#953
26-Mar-2024 09:28:47.548 general: notice: command channel listening on ::1#953
26-Mar-2024 09:28:47.548 network: info: updating TLS context on 127.0.0.1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on IPV4#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on 10.0.0.1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on ::1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on IPV6#853
26-Mar-2024 09:28:47.548 zoneload: info: zone 0.10.in-addr.arpa/IN: loaded serial 2024022951
26-Mar-2024 09:28:47.548 zoneload: info: zone acme-challenge.domain.net/IN (unsigned): loaded serial 2024022800
26-Mar-2024 09:28:47.548 zoneload: info: zone acme-challenge.domain.net/IN (signed): loaded serial 2024022817 (DNSSEC signed)
26-Mar-2024 09:28:47.548 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 2008122601
26-Mar-2024 09:28:47.548 zoneload: info: zone ipv6subnet.ip6.arpa/IN (unsigned): loaded serial 2024022843
26-Mar-2024 09:28:47.548 general: info: zone acme-challenge.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.548 dnssec: info: zone acme-challenge.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.552 zoneload: info: zone ipv6subnet.ip6.arpa/IN (signed): loaded serial 2024022872 (DNSSEC signed)
26-Mar-2024 09:28:47.552 zoneload: info: zone domain.net/IN (unsigned): loaded serial 2024022900
26-Mar-2024 09:28:47.552 zoneload: info: zone localhost/IN: loaded serial 2008122601
26-Mar-2024 09:28:47.552 zoneload: info: zone lan.domain.net/IN (unsigned): loaded serial 2024023082
26-Mar-2024 09:28:47.552 zoneload: info: zone domain.net/IN (signed): loaded serial 2024022983 (DNSSEC signed)
26-Mar-2024 09:28:47.552 general: info: zone domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 notify: info: zone domain.net/IN (signed): sending notifies (serial 2024022983)
26-Mar-2024 09:28:47.552 dnssec: info: zone domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.552 zoneload: info: zone lan.domain.net/IN (signed): loaded serial 2024023184 (DNSSEC signed)
26-Mar-2024 09:28:47.552 general: notice: all zones loaded
26-Mar-2024 09:28:47.552 general: notice: FIPS mode is disabled
26-Mar-2024 09:28:47.552 general: notice: running
26-Mar-2024 09:28:47.552 general: info: zone ipv6subnet.ip6.arpa/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 general: info: zone lan.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notifies (serial 2024022872)
26-Mar-2024 09:28:47.552 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.558 dnssec: info: zone acme-challenge.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.548
26-Mar-2024 09:28:47.562 dnssec: info: zone domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.552
26-Mar-2024 09:28:47.562 notify: info: zone domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:28:47.562 notify: info: zone domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.565 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): next key event: 20-Apr-2024 13:00:00.552
26-Mar-2024 09:28:47.565 notify: info: zone lan.domain.net/IN (signed): sending notifies (serial 2024023184)
26-Mar-2024 09:28:47.565 dnssec: info: zone lan.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.572 dnssec: info: zone lan.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.565
26-Mar-2024 09:28:47.572 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:28:47.572 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.572 notify: info: zone lan.domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.572 notify: info: zone lan.domain.net/IN (signed): sending notify to 216.218.130.2#53