named occasionally stops zone resigning and reloading with inline signing
bind version in use:
BIND 9.12.1-P2 running on FreeBSD amd64 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC built by make with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--enable-threads' '--with-tuning=default' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.1' 'build_alias=amd64-portbld-freebsd11.1' 'CC=clang' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=clang-cpp' compiled by CLANG 4.2.1 Compatible FreeBSD Clang 4.0.0 (tags/RELEASE_400/final 297347) compiled with OpenSSL version: OpenSSL 1.0.2k-freebsd 26 Jan 2017 linked to OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018 compiled with libxml2 version: 2.9.7 linked to libxml2 version: 20907 compiled with libjson-c version: 0.13 linked to libjson-c version: 0.13 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled
Summary
named (9.11 or 9.12) sometimes fails to load a changed master file and to resign the zone after a rndc reload. To recover from this, the journal files must be deleted. The issue has been discussed here: https://marc.info/?l=bind-users&m=152837141204255&w=2 Zone file and config file available on request.
Steps to reproduce
- Add a RR and set the SOA serial to a new value (1st change today would be 2018072500) in master file.
- Give a rndc reload command.
- Query for SOA and added RR with dig.
- Expected changes are missing.
- Give a rndc zonestatus.
- "last loaded:" shows old value.
- "serial:" shows 2018072500
- "signed serial:" shows 2018072500
Relevant scripts
Keys, sigs and unattended maintenance of DS-RR upstream are handled by this script: https://github.com/mc3/DSKM using dnssec-keygen, nssec-dsfromkey and dnssec-settime.
Relevant configuration files
relevant part of server config file:
options {
serial-update-method date;
}; // options
relevant part of zone file:
zone "lrau.net" in {
type master;
file "master/signed/lrau.net/lrau.net.zone";
key-directory "master/signed/lrau.net/";
auto-dnssec maintain;
inline-signing yes;
dnssec-secure-to-insecure no;
also-notify {
1.2.3.4;
5.6.7.8;
};
};
Transcript of bug occurence today
prompt: rndc zonestatus lrau.net name: lrau.net type: master files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc serial: 2018072403 signed serial: 2018072430 nodes: 89 last loaded: Tue, 24 Jul 2018 19:08:01 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Wed, 25 Jul 2018 11:08:02 GMT next resign node: lrau.net/MX next resign time: Thu, 16 Aug 2018 06:09:55 GMT dynamic: no reconfigurable via modzone: no
diff lrau.net.zone lrau.net.zone.back 7c7 < 2018072500 ; Serial number --- > 2018072403 ; Serial number 229,230c229 < voip-gw1 IN A 91.216.35.210 < IN AAAA 2a05:bec0:26:18::210 --- > voip-gw1 IN A 91.216.35.210
prompt: rndc reload server reload successful
relevant log entries:
13:00:03 zone lrau.net/IN (signed): next key event: 25-Jul-2018 14:00:31.162 13:00:03 reloading zones succeeded 13:00:03 zone lrau.net/IN (unsigned): loaded serial 2018072500 13:00:03 zone lrau.net/IN (signed): serial 2018072500 (unsigned 2018072500) 13:00:03 all zones loaded
prompt: rndc zonestatus lrau.net name: lrau.net type: master files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc serial: 2018072500 signed serial: 2018072500 nodes: 89 last loaded: Tue, 24 Jul 2018 19:08:01 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Wed, 25 Jul 2018 12:00:31 GMT next resign node: lrau.net/MX next resign time: Thu, 16 Aug 2018 06:09:55 GMT dynamic: no
prompt: ls -l total 181 -rw-r--r-- 1 bind pki_op 536 May 11 15:55 Klrau.net.+008+02496.key -rw------- 1 bind pki_op 1060 May 11 15:55 Klrau.net.+008+02496.private -rw-r--r-- 1 bind pki_op 711 May 27 00:55 Klrau.net.+008+24919.key -rw------- 1 bind pki_op 1824 May 27 00:55 Klrau.net.+008+24919.private -rw-r--r-- 1 bind pki_op 537 Jul 10 15:55 Klrau.net.+008+60714.key -rw------- 1 bind pki_op 1060 Jul 10 15:55 Klrau.net.+008+60714.private drwxr-x--- 2 bind wheel 3 Nov 15 2012 RCS -rw-rw-r-- 1 bind pki_op 0 Jun 15 17:05 acme_challenges.inc -rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 0 Aug 6 2016 caldav4.lrau.net.tlsa -rw-r----- 1 bind wheel 456 Aug 14 2012 dnssec-conf-lrau.net -rw-r----- 1 bind wheel 308 Jul 25 11:55 dnssec-stat-lrau.net -rw-rw-r-- 1 bind pki_op 109 Jun 13 20:05 git3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 109 Jun 13 20:05 git4.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 218 Jun 6 18:05 imap.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 220 Jun 6 18:05 imap3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 220 Jun 6 18:05 imap4.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 110 Jun 14 12:05 lists3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 110 Jun 14 12:05 lists4.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 6611 Jul 25 12:52 lrau.net.zone -rw-r--r-- 1 root pki_op 6577 Jul 25 12:25 lrau.net.zone.back -rw-r--r-- 1 bind pki_op 512 Jul 24 21:08 lrau.net.zone.jbk -rw-r--r-- 1 bind pki_op 731 Jul 25 13:00 lrau.net.zone.jnl -rw-r--r-- 1 bind pki_op 50361 Jul 24 21:19 lrau.net.zone.signed -rw-r--r-- 1 bind pki_op 58381 Jul 25 13:00 lrau.net.zone.signed.jnl -rw-rw-r-- 1 bind pki_op 112 Jun 6 19:05 mailout3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 112 Jun 6 19:05 mailout4.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 107 Jun 6 21:05 mx3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 107 Jun 6 21:05 mx4.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 0 Nov 1 2016 timap.lrau.net.tlsa -rw-rw-r-- 1 root pki_op 332 Jun 22 13:05 timap3.lrau.net.tlsa -rw-rw-r-- 1 bind pki_op 0 Oct 29 2016 tmx.lrau.net.tlsa -rw-rw-r-- 1 root pki_op 108 Jun 22 13:05 tmx3.lrau.net.tlsa
promt: named-checkzone lrau.net master/signed/lrau.net/lrau.net.zone zone lrau.net/IN: loaded serial 2018072500 OK
prompt: service named stop Stopping named. Waiting for PIDS: 54208.
prompt: rm *.jbk *.jnl *.signed prompt: service named start Starting named.
prompt: rndc zonestatus lrau.net name: lrau.net type: master files: master/signed/lrau.net/lrau.net.zone, master/signed/lrau.net/caldav.lrau.net.tlsa, master/signed/lrau.net/git3.lrau.net.tlsa, master/signed/lrau.net/git4.lrau.net.tlsa, master/signed/lrau.net/lists3.lrau.net.tlsa, master/signed/lrau.net/lists4.lrau.net.tlsa, master/signed/lrau.net/mailout3.lrau.net.tlsa, master/signed/lrau.net/mailout4.lrau.net.tlsa, master/signed/lrau.net/mx3.lrau.net.tlsa, master/signed/lrau.net/mx4.lrau.net.tlsa, master/signed/lrau.net/timap3.lrau.net.tlsa, master/signed/lrau.net/tmx3.lrau.net.tlsa, master/signed/lrau.net/acme_challenges.inc serial: 2018072500 signed serial: 2018072527 nodes: 89 last loaded: Wed, 25 Jul 2018 11:34:00 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Wed, 25 Jul 2018 12:34:00 GMT next resign node: uplink.bu.lrau.net/NSEC next resign time: Thu, 16 Aug 2018 22:44:02 GMT dynamic: no reconfigurable via modzone: no prompt: