Skip to content

member zones of a catalog are not reconfigured

Summary

I found a bug in the catalog zones. New settings, e.g. allow-query are not applied to catalog zone members after rndc reload on the secondary.

BIND version affected

$ /usr/local/bind/9.18.27/sbin/named -V
BIND 9.18.27 (Extended Support Version) <id:663e6d9>

Steps to reproduce

  1. Configure primary with zone + catalog
  2. Configure secondary for the catalog and set e.g. allow-query in options block
  3. Start primary and secondary BIND server
  4. Change secondary's allow-query in options block.
  5. Reload secondary configuration with rndc reload command.

What is the current bug behavior?

Modified allow-query (and other configuration) for zones received by catalog is not applied after rndc reload.

What is the expected correct behavior?

Modified allow-query (and other configuration) is applied for all zones.

Relevant configuration files

  • primary named.conf
options {
        directory "/root/primary";
        recursion no;
        allow-query { any; };
        allow-query-cache { none; };
        allow-transfer { any; };
        notify explicit;
        listen-on { 127.0.0.1; };
        listen-on-v6 { none; };
};
include "rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { any; } keys { "rndc-key"; };
};
zone "example.com" {
        type primary;
        file "example.com.zone";
};
zone "catalog.internal" {
        type primary;
        file "catalog.internal.zone";
};
  • secondary named.conf
options {
        directory "/root/secondary";
        recursion no;
        allow-query { 127.0.0.1; };
        allow-query-cache { none; };
        allow-transfer { none; };
        notify explicit;
        listen-on { 127.0.0.2; };
        listen-on-v6 { none; };
        catalog-zones {
                zone "catalog.internal"
                        default-primaries { 127.0.0.1; }
                        in-memory no
                        zone-directory "catz";
        };
};
include "rndc.key";
controls {
        inet 127.0.0.2 port 953 allow { any; } keys { "rndc-key"; };
};
zone "catalog.internal" {
        type secondary;
        primaries { 127.0.0.1; };
        file "catalog.internal.zone";
};
  • secondary named.conf (step4)
options {
        directory "/root/secondary";
        recursion no;
        allow-query { 127.0.0.1; 127.0.0.2; };  // add 127.0.0.2
        allow-query-cache { none; };
        allow-transfer { none; };
        notify explicit;
        listen-on { 127.0.0.2; };
        listen-on-v6 { none; };
        catalog-zones {
                zone "catalog.internal"
                        default-primaries { 127.0.0.1; }
                        in-memory no
                        zone-directory "catz";
        };
};
include "rndc.key";
controls {
        inet 127.0.0.2 port 953 allow { any; } keys { "rndc-key"; };
};
zone "catalog.internal" {
        type secondary;
        primaries { 127.0.0.1; };
        file "catalog.internal.zone";
};
  • example.com.zone
$TTL 86400
@       IN      SOA     ns1 root 1 86400 1800 86400 1800
@       IN      NS      ns1
ns1     IN      A       127.0.0.1
  • catalog.internal.zone
@               IN      SOA     . . 1 86400 1800 86400 1800
@               IN      NS      invalid.
version         IN      TXT     "2"
l1.zones        IN      PTR     example.com.

Relevant logs

  • (step3) dig to secondary
$ dig +norec -b 127.0.0.1 @127.0.0.2 example.com -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.1 @127.0.0.2 example.com -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11565
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 922fbedac38d12a301000000664713d5560ffe29e43e2f08 (good)
;; QUESTION SECTION:
;example.com.                   IN      SOA

;; ANSWER SECTION:
example.com.            86400   IN      SOA     ns1.example.com. root.example.com. 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
example.com.            86400   IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.        86400   IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:22:45 JST 2024
;; MSG SIZE  rcvd: 143

$ dig +norec -b 127.0.0.1 @127.0.0.2 catalog.internal -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.1 @127.0.0.2 catalog.internal -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30260
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2fc18d96f1ca2029010000006647166bff3b68148e6766fd (good)
;; QUESTION SECTION:
;catalog.internal.              IN      SOA

;; ANSWER SECTION:
catalog.internal.       1800    IN      SOA     . . 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
catalog.internal.       1800    IN      NS      invalid.

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:33:47 JST 2024
;; MSG SIZE  rcvd: 128

-> it's fine because 127.0.0.1 is included in allow-query.

$ dig +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16541
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 43a471a2e39e387301000000664715296a67efb9a362c788 (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;example.com.                   IN      SOA

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:28:25 JST 2024
;; MSG SIZE  rcvd: 74

$ dig +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 13190
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0132be8ce7b35a51010000006647169bcbd7749d3fae2b1c (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;catalog.internal.              IN      SOA

;; Query time: 1 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:34:35 JST 2024
;; MSG SIZE  rcvd: 79

-> also it's fine because 127.0.0.2 is NOT included in allow-query.

  • (step5) dig to secondary
$ dig +norec -b 127.0.0.1 @127.0.0.2 example.com -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.1 @127.0.0.2 example.com -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51618
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3b213c5fe91f28fb01000000664716cd60b7f677ed14856a (good)
;; QUESTION SECTION:
;example.com.                   IN      SOA

;; ANSWER SECTION:
example.com.            86400   IN      SOA     ns1.example.com. root.example.com. 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
example.com.            86400   IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.        86400   IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:35:25 JST 2024
;; MSG SIZE  rcvd: 143
$ dig +norec -b 127.0.0.1 @127.0.0.2 catalog.internal -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.1 @127.0.0.2 catalog.internal -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41429
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3c16b7b321a0e69501000000664716e73238373566635144 (good)
;; QUESTION SECTION:
;catalog.internal.              IN      SOA

;; ANSWER SECTION:
catalog.internal.       1800    IN      SOA     . . 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
catalog.internal.       1800    IN      NS      invalid.

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:35:51 JST 2024
;; MSG SIZE  rcvd: 128

-> it's fine because 127.0.0.1 is included in allow-query.

$ dig +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20375
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 68750dc1c9e075ef0100000066471744904ec1a474ee00ac (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;example.com.                   IN      SOA

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:37:24 JST 2024
;; MSG SIZE  rcvd: 74
$dig +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19281
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b35eaabc11d0bf82010000006647177608e56c838ed0d382 (good)
;; QUESTION SECTION:
;catalog.internal.              IN      SOA

;; ANSWER SECTION:
catalog.internal.       1800    IN      SOA     . . 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
catalog.internal.       1800    IN      NS      invalid.

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:38:14 JST 2024
;; MSG SIZE  rcvd: 128

-> it's wrong because 127.0.0.2 is included in allow-query.

  • (step6) dig to secondary after restart secondary named process
$ dig +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 example.com -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50041
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ec5b1d5c2fcd724701000000664717f0a195aacd64806c33 (good)
;; QUESTION SECTION:
;example.com.                   IN      SOA

;; ANSWER SECTION:
example.com.            86400   IN      SOA     ns1.example.com. root.example.com. 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
example.com.            86400   IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
ns1.example.com.        86400   IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:40:16 JST 2024
;; MSG SIZE  rcvd: 143
$ dig +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa

; <<>> DiG 9.18.27 <<>> +norec -b 127.0.0.2 @127.0.0.2 catalog.internal -t soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30603
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0b56d746cc074c0d0100000066471808f5d90317c436c04d (good)
;; QUESTION SECTION:
;catalog.internal.              IN      SOA

;; ANSWER SECTION:
catalog.internal.       1800    IN      SOA     . . 1 86400 1800 86400 1800

;; AUTHORITY SECTION:
catalog.internal.       1800    IN      NS      invalid.

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP)
;; WHEN: Fri May 17 17:40:40 JST 2024
;; MSG SIZE  rcvd: 128
Edited by Petr Špaček
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information