bind 9.7.1 tries to automatically resign non-dynamic zones

Paul B. Henson henson at acm.org
Fri Sep 3 19:23:01 UTC 2010


Didn't see any replies on this :(. I did send it on a Sunday and maybe it
slipped through the cracks, so I thought I'd try one more time and hope
somebody might have an idea what's going on :).

I opened a bug with ISC, but no response on that yet. I dug through the
source code some myself, the auto-dnssec option seems to control the
"refreshkeytime", whereas the automatic resigning behavior I'm seeing is
controlled by the "resigntime". That is initialized in zone.c by the
function sc_time_settoepoch, which if left to that value would not result
in automatic resigning. The function set_resigntime gets called during zone
loading, which fetches a time via dns_db_getsigningtime. I'm not sure where
that's getting a time from, but it results in the server wanting to resign
stuff 7 days before the signatures expire. It calls zone_resigninc, which
is resulting in the error messages and failures listed below. None of this
seems conditional on the zone in question being dynamic.

Anybody have any suggestions on how to make bind stop trying to
automatically resign a non-dynamic zone?

Thanks...


On Sun, 29 Aug 2010, Paul B. Henson wrote:

> We're prototyping dnssec with bind 9.7.1, and ran into a strange issue
> where it looks like bind is trying to automatically resign non-dynamic
> zones when the signatures are going to expire.
>
> Our zones are signed by an external process, and all bind is supposed to do
> is serve them 8-/. Zones are signed whenever contents change, or at least
> monthly to prevent the signatures from expiring. One of the zones hadn't
> been changed all month so far, and the signatures were only valid for 7
> more days, when suddenly these errors popped up in the logs:
>
> Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/19218: file not found
> Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/10476: file not found
> Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/60885: file not found
> Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/60649: file not found
> Aug 28 10:33:37 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/18097: file not found
> Aug 28 10:33:37 atlas named[4001]:
> /var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied
> Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external:
> zone_resigninc:dns_journal_open -> unexpected error
> Aug 28 10:33:37 atlas named[4001]: zone calpolypomona.org/IN/external:
> sending notifies (serial 2010080101)
> Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/19218: file not found
> Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/10476: file not found
> Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/60885: file not found
> Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/60649: file not found
> Aug 28 10:33:53 atlas named[4001]: dns_dnssec_findzonekeys2: error reading
> private key file calpolypomona.org/RSASHA256/18097: file not found
> Aug 28 10:33:53 atlas named[4001]:
> /var/lib/bind/cpp/calpolypomona.org_external.jnl: create: permission denied
> Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external:
> zone_resigninc:dns_journal_open -> unexpected error
> Aug 28 10:33:53 atlas named[4001]: zone calpolypomona.org/IN/external:
> sending notifies (serial 2010080102)
> [...]
> Aug 28 10:35:14 atlas named[4001]: zone calpolypomona.org/IN/external:
> setting keywarntime to 1283664914 - 7 days
>
> It seems like it noticed there were only 7 days of signature validity left,
> and decided it would just go ahead and resign. The zones are *not* dynamic,
> the bind service account (as demonstrated by the permission denied errors)
> doesn't even have write permission on the directories in which the zone
> files are stored. The authoritative serial in the file on disk is
> 2010080100, yet it started bumping the serial on the zone in memory higher
> (and passing that on to the secondaries, which would have broken any actual
> updates that might have been performed).
>
> From reviewing the manual, this behavior should only occur if the zones are
> dynamic, *and* auto-dnssec in enabled, neither is true.
>
> Bug?
>
> Thanks...
>
>
>

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768



More information about the bind-users mailing list