DNSSEC validation fails on system resume
Summary
Suspending and resuming my laptop running named confuses it most of the times and DNSSEC validation fails until the cache is flushed.
BIND version used
BIND 9.11.5-P4-5.1+b1-Debian (Extended Support Version) <id:998753c>
running on Linux x86_64 5.3.0-1-amd64 #1 SMP Debian 5.3.7-1 (2019-10-19)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-s5VLOp/bind9-9.11.5.P4+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1c 28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled
Steps to reproduce
Install BIND on a laptop, enable DNSSEC validation, suspend the system and resume it after about 1 hour (the same also happens after about 8 hours). It is not certain, but I hit the bug most of the times.
This started happening between 1 and 2 years ago, I have been running BIND on my laptop for over 15 years and it used to work fine (and I think that I enabled DNSSEC validation more than 2 years ago).
What is the current bug behavior?
DNSSEC validation will fail for some records until the cache is flushed with rndc flush
.
I have found that sending a SIGHUP
to named just before the system is suspended and then
a SIGCONT
2-3 seconds after (defined as "when the scripts in /usr/lib/systemd/system-sleep/
are run") resume fixes the problem almost every time.
What is the expected correct behavior?
named should not care about the system being suspended.
Relevant configuration files
options {
dnssec-enable yes;
dnssec-validation auto;
...
};
Relevant logs and/or screenshots
Details have been collected in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693587 by multiple submitters.