Operational Notification: Zone journal (.jnl) file incompatibility,after upgrading to BIND 9.16.12 and 9.17
ISC Security Officer
security-officer at isc.org
Sat Feb 20 02:41:27 UTC 2021
To our users --
This week we issued new release versions of BIND (9.11.28, 9.16.12,
and 9.17.10, plus versions 9.11.28-S1 and 9.16.12-S1 of BIND
Supported Preview Edition for those customers who are eligible.)
Unfortunately a second issue has now been uncovered that may
affect operators upgrading to BIND 9.16.12 and 9.16.12-S1, and
potentially also those evaluating BIND 9.17 development branch
The following Operational Notification explains the issue.
A useful option for authoritative zone operators (max-ixfr-ratio)
was back-ported from BIND 9.17.0 to BIND 9.16.12 without realising
that its implementation required a change to the journal (.jnl)
file format which is used for tracking incremental changes in
dynamically-updated zones, inline-signing zones and for
facilitating incremental transfers.
This problem manifests when restarting named following the upgrade,
when named opens the .jnl file associated with the zone file on
disk to determine whether or not it needs to perform a roll-forward.
The format change will prevent the zone from being loaded. To
avoid this problem, the older-format .jnl files need to be removed
before restarting named. These .jnl files are not needed on restart
if the current version of the zone was written to disk before or
during the shutdown of named.
Servers that do not have any dynamically managed, incrementally-
updated, or inline-signed zones should not be affected.
We deeply regret that a second issue has now arisen with these new
BIND releases, and one which will, for some operators, require
painstaking intervention during their upgrade.
If you are upgrading to the any of the releases listed in this
notification, then during your upgrade, please follow the mitigation
steps documented in the workaround section of this notification.
We will be adding code changes that automatically handle the
.jnl file format change into the March 2021 maintenance releases.
Operational Notification: Zone journal (.jnl) file incompatibility
after upgrading to BIND 9.16.12 and 9.17
Posting date: 19 February 2021
Program impacted: BIND
Versions affected: BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview
Edition) and versions 9.17.0 -> 9.17.10 of the 9.17
All changes made to a zone using dynamic updates or inbound
incremental zone update (IXFR) are stored in the zone's journal file.
This journal (.jnl) file is automatically created and maintained by
named, and will be used when named is re-started after a shutdown or
crash to roll-forward (replay) any zone updates that were not yet in
the version of the zone on disk when named stopped. A zone's journal
file is also used to provide incremental updates (IXFRs) to other
servers. DNSSEC-signed zones using inline-signing will also have
journal files associated with the signed version of the zone.
In BIND 9.17.0, we introduced the max-ixfr-ratio option, which is a
percentage representing the ratio of IXFR size to the size of the
entire zone. This sets the size threshold (expressed as a percentage
of the size of the full zone) beyond which named chooses to use an
AXFR response rather than IXFR when answering zone transfer requests.
This feature has now been back-ported to BIND 9.16, making its debut
in the 9.16.12 releases.
Unfortunately, one feature of this change escaped our notice, both
when writing the release documentation for BIND 9.17.0, and then
later on, adding the max-ixfr-ratio option to BIND 9.16.12. A small
change was required to the format of the journal (.jnl) file format
in order to support the calculation of an IXFR size during its
preparation. The old format .jnl file is incompatible with the
versions of BIND that support the new max-ixfr-ratio option.
When BIND is upgraded to 9.16.12, 9.16.12-S1 or 9.17 (any version)
and then started with journal (.jnl) files present that were created
by earlier versions, then the zone load will fail because the journal
roll-forward step will not recognise the older format.
This problem can affect BIND servers whose authoritative zones are
maintained via dynamic updates, or by editing the zone file and
reloading on a server with option 'ixfr-from-differences' enabled.
Secondary zones that are maintained using incremental updates (IXFR)
are similarly at risk. The 'ixfr-from-differences' option may also be
used in some environments to generate journal files following an
We do not have a tool available to convert the journal files to the
new format, therefore on upgrading, it is necessary to start named
with the old format journal files removed.
(Options if you have not yet upgraded:)
1. Before upgrading, ensure that named is stopped using rndc stop.
This will ensure that all zones are written to disk during the
shutdown processing. After named has stopped, delete or relocate all
the associated .jnl files so that they are not accessed when named is
restarted. named will generate new .jnl files as needed.
Warning: Do not stop named using rndc halt before upgrading
Using rndc halt instead of rndc stop will stop the server
immediately. Recent changes made through dynamic update or
IXFR are not saved to the zone files on disk first (and will
need to be rolled-forward from the journal files when named is
restarted; this is what you need to prevent so that you can
delete them before upgrading).
2. For a provisioning/primary authoritative server, you have another
option for ensuring that the zones are written to disk and that the
journal files are removed. First, ensure that all dynamic updates are
paused, then issue command:
rndc sync -clean
Then stop named as normal (you should not need to remove the .jnl
files manually as the 'rndc sync -clean' will have taken care of this
(Options if you have already upgraded:)
3. If named was stopped before you upgraded using rndc stop and you
know that this completed successfully, then removing or relocating
the .jnl files will be all that you need to do.
4. If you are not sure if your zone files on disk were updated when
you stopped named and you have a large number of zones to recover,
then it may be easiest to back-out the update, start named to do the
roll-forward and load, and then shutdown again (rndc stop) before
following option 1. above.
5. If you have only a small number of zones to recover, then you may
prefer to recover (or build) named-checkzone from your pre-upgrade
version of BIND and use that to regenerate the zone files from
the .jnl files.
For example, to create a new zone file 'example.com.new' for zone
'example.com' by rolling forward from 'example.com.jnl' and
'example.com', you would type:
named-checkzone -jD -o example.com.new example.com example.com
And then you would:
- remove files 'example.com.jnl' and 'example.com'
- rename 'example.com.new' to 'example.com'.
Note: Use -f and -F options if your zone files are not in text
format. BIND supports several formats of zone file - check which
format you need first.
Hint: Make backup copies of the zone and .jnl files before you run
named-compilezone. The named-checkzone utility, when run with the
-jD options, will apply the journal file changes to the zone and
then delete it afterwards. If you make a mistake with the options,
you may want to start again; having a backup copy in that situation
Code changes to support roll-forward from the older format of .jnl
files are planned for the March 2021 maintenance releases (due
17 March 2021) but until then the measures suggested in the
"Workarounds" section should prevent or resolve post-upgrade zone
loading problems for Authoritative BIND server operators.
Do you still have questions?
Questions regarding this notification should go to security-
officer at isc.org. To report a new issue, please encrypt your message
using security-officer at isc.org's PGP key which can be found here:
https://www.isc.org/pgpkey/. If you are unable to use encrypted email,
you may also report new issues at: https://www.isc.org/reportbug/.
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see:
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability
Disclosure Policy at https://kb.isc.org/docs/aa-00861.
This Knowledgebase article, found at
is the complete and official
operational notification document.
Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied
warranty of merchantability, fitness for a particular purpose,
absence of hidden defects, or of non-infringement. Your use or
reliance on this notice or materials referred to in this notice is at
your own risk. ISC may change this notice at any time. A stand-alone
copy or paraphrase of the text of this document that omits the
document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.
More information about the bind-announce