Bind 9.11.13 - inline re-signing stops

Wed Feb 5 19:02:17 UTC 2020

Hi Matthew,

we have fixed a data race in a related code in BIND 9.11.15.

However, if you can get us a coredump using gdb and tar it with associated binary and libraries, we might be able to look into it. ISC GitLab should have enough limit to accept tar.xz, make sure you set the issue as confidential, we will sanitize it before making the issue public in the future. You may use pandora.isc.org to drop of larger files in a confidential matter and link it to the GitLab issue.

Ondřej
--
Ondřej Surý — ISC

> On 5 Feb 2020, at 19:28, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
> 
> I have an interesting issue with a hidden master running 9.11.13 and
> configured with inline signing on a number of zones, configured thus:-
> 
>> zone "42.201.193.in-addr.arpa" {
>>   type master;
>>   file "zones/master/42.201.193.in-addr.arpa.db";
>>   inline-signing yes;
>>   auto-dnssec maintain;
>> };
> 
> Prior to 30 January, all the zones configured in this way were regurlarly
> being resigned, logging entries such as:-
> 
>> 29-Jan-2020 03:37:02.129 general: info: zone 42.201.193.in-addr.arpa/IN (signed): reconfiguring zone keys
>> 29-Jan-2020 03:37:02.131 general: info: zone 42.201.193.in-addr.arpa/IN (signed): next key event: 29-Jan-2020 15:37:02.129
>> 29-Jan-2020 15:37:02.129 general: info: zone 42.201.193.in-addr.arpa/IN (signed): reconfiguring zone keys
>> 29-Jan-2020 15:37:02.131 general: info: zone 42.201.193.in-addr.arpa/IN (signed): next key event: 30-Jan-2020 03:37:02.129
>> 30-Jan-2020 03:35:01.604 general: info: zone 42.201.193.in-addr.arpa/IN (signed): reconfiguring zone keys
>> 30-Jan-2020 03:35:01.606 general: info: zone 42.201.193.in-addr.arpa/IN (signed): next key event: 30-Jan-2020 15:35:01.604
> 
> Since an "rndc reload" at 12:22 on 30 January, this logging has stopped and
> NONE of the signed zones have had any of their RRSIGs re-signed.  Today,
> one sees:-
> 
>> [root at m70 dns]# rndc zonestatus 42.201.193.in-addr.arpa
>> name: 42.201.193.in-addr.arpa
>> type: master
>> files: zones/master/42.201.193.in-addr.arpa.db
>> serial: 286
>> signed serial: 3829
>> nodes: 140
>> last loaded: Sun, 24 Nov 2019 07:13:00 GMT
>> secure: yes
>> inline signing: yes
>> key maintenance: automatic
>> next key event: Wed, 05 Feb 2020 18:01:42 GMT
>> next resign node: DI2VMBB2GDES2IKFVFRUB7DIDDC7TI8L.42.201.193.in-addr.arpa/NSEC3
>> next resign time: Thu, 30 Jan 2020 21:25:35 GMT
>> dynamic: no
>> reconfigurable via modzone: no
> 
> which clearly shows "next resign" as being in the past.  The server
> reports:-
> 
>> [root at m70 dns]# rndc status
>> version: BIND 9.11.13 (Extended Support Version) <id:ad4df16>
>> running on m70: Linux x86_64 4.14.120-x86_64-linode125 #1 SMP Mon May 20 16:43:35 UTC 2019
>> boot time: Sun, 24 Nov 2019 09:51:27 GMT
>> last configured: Wed, 05 Feb 2020 18:10:21 GMT
>> configuration file: /etc/named.conf
>> CPUs found: 1
>> worker threads: 1
>> UDP listeners per interface: 1
>> number of zones: 773 (0 automatic)
>> debug level: 0
>> xfers running: 0
>> xfers deferred: 0
>> soa queries in progress: 0
>> query logging is OFF
>> recursive clients: 0/900/1000
>> tcp clients: 6/150
>> TCP high-water: 64
>> server is up and running
> 
> As a test I tried incrementing the serial number of only one of the signed
> zones and, after a reload, that zone seems to be being resigned normally.
> 
> My suspicion is that retarting Bind will simply fix the issue.
> 
> However, I was wondering whether there might be any troubleshooting or
> diagnosis which it might be useful to undertake.  Were ISC to want, it
> would probably be possible to get them temporary access.
> 
> Best wishes,
> Matthew
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users