BIND 9.20.4 exiting
Darren Ankney
dankney at isc.org
Thu Dec 19 15:09:48 UTC 2024
Hello,
Please note that ISC has published an operation notification regarding
this report:
https://kb.isc.org/docs/operational-notification-bind-920-defect-in-qpzone-implementation
with further instructions (in case anyone missed the recent announcement
in the bind-announce mailing list).
Thank you,
Darren Ankney
Director of Technical Support
ISC
On 12/18/24 08:00, Guillaume Bibaut wrote:
> Hello,
>
> I'm posting here because it is recommended there
> https://gitlab.isc.org/isc-projects/bind9/-/issues/new <https://
> gitlab.isc.org/isc-projects/bind9/-/issues/new>
> to post on this list before posting issues on gitlab.
>
> I'm using bind 9.20 for a professional DNS service in my company (redacted).
> Our DNS services are working fine with version 9.20.2 of BIND.
> Last week-end, we updated the FreeBSD package from 9.20.2 to 9.20.4.
> Today, as we were using our services just as usual, both our primary and
> secondary DNS services exited after some of our CI executed an update on
> removing some CNAME used while developing. We are using nsupdate with
> some key to update the DNS securely.
> We are using FreeBSD 14.1-RELEASE-p3, and the "latest" packages
> repository so that our BIND services are always up to date.
> I had to rollback to the previous packages, so from 9.20.4 to 9.20.2.
> Everything was working well before and since we updated to 9.20.2.
>
> FreeBSD latest port and package for bind920:
> https://www.freshports.org/dns/bind920/ <https://www.freshports.org/dns/
> bind920/>
>
> https://dnssec-analyzer.verisignlabs.com/ <https://dnssec-
> analyzer.verisignlabs.com/> and https://dnsviz.net/ <https://dnsviz.net/
> > both tell that our sub domain dev.example.com <http://
> dev.example.com> is well configured for DNSSEC (no errors).
>
> Our log looks like this when it exited, I had to redact the log because
> I do not want company informations to get disclosed.
>
> >>>SNIP<<
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at
> 'branch.sub1.subsub.dev.example.com <http://
> branch.sub1.subsub.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at
> 'branch.sub2.subsub.dev.example.com <http://
> branch.sub2.subsub.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at
> 'branch.sub3.subsub.dev.example.com <http://
> branch.sub3.subsub.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub1.dev.example.com
> <http://branch.sub1.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub3.dev.example.com
> <http://branch.sub3.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub4.dev.example.com
> <http://branch.sub4.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.fichier.dev.example.com
> <http://branch.fichier.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub2.dev.example.com
> <http://branch.sub2.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub5.dev.example.com
> <http://branch.sub5.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub6.dev.example.com
> <http://branch.sub6.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub7.dev.example.com
> <http://branch.sub7.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/
> key dev3.cname: updating zone 'dev.example.com/IN <http://
> dev.example.com/IN>': deleting rrset at 'branch.sub8.dev.example.com
> <http://branch.sub8.dev.example.com>' CNAME
> Dec 18 10:45:13 mail named[3615]: zone dev.example.com/IN <http://
> dev.example.com/IN> (signed): sending notifies (serial 2024095766)
> Dec 18 10:45:13 mail named[3615]: zone dev.example.com/IN <http://
> dev.example.com/IN> (signed): sending notify to SECONDARY_1_IP#53
> Dec 18 10:45:13 mail named[3615]: zone dev.example.com/IN <http://
> dev.example.com/IN> (signed): sending notify to REGISTRAR_SECONDARY_IP#53
> Dec 18 10:45:13 mail named[3615]: client @0x17a2bd41400
> SECONDARY_1_IP#16894 (dev.example.com <http://dev.example.com>):
> transfer of 'dev.example.com/IN <http://dev.example.com/IN>': IXFR
> started (serial 2024095765 -> 2024095766)
> Dec 18 10:45:13 mail named[3615]: client @0x17a2bd41400
> SECONDARY_1_IP#16894 (dev.example.com <http://dev.example.com>):
> transfer of 'dev.example.com/IN <http://dev.example.com/IN>': IXFR
> ended: 2 messages, 102 records, 18757 bytes, 0.034 secs (551676 bytes/
> sec) (serial 2024095766)
> Dec 18 10:45:13 mail named[3615]: client @0x17a28824c00
> SECONDARY_1_IP#64952: received notify for zone 'dev.example.com <http://
> dev.example.com>'
> Dec 18 10:45:31 mail named[3615]: client @0x17a2cf7c400
> 172.217.41.209#33339 (BRanCH.sUB1.DeV.ExAmpLE.CoM <http://
> BRanCH.sUB1.DeV.ExAmpLE.CoM>): expected a exact match NSEC3, got a
> covering record
> Dec 18 10:45:31 mail named[3615]: ../../lib/dns/include/dns/name.h:1013:
> REQUIRE(suffixlabels <= name->labels) failed
> Dec 18 10:45:31 mail named[3615]: 0x23f15b <main+0x191b> at /usr/local/
> sbin/named
> Dec 18 10:45:31 mail named[3615]: 0x82182c66a <isc_assertion_failed+0xa>
> at /usr/local/lib/libisc-9.20.4.so <http://libisc-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234d7922 <ns_query_start+0x7ee2>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234de122 <ns_query_start+0xe6e2>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234d3c37 <ns_query_start+0x41f7>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234d1c01 <ns_query_start+0x21c1>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234cd952 <ns_query_done+0x18f2>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234cbe13 <ns__query_start+0x453>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234d04f3 <ns_query_start+0xab3>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234d01f3 <ns_query_start+0x7b3>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234c445c <ns__client_setup+0x1c4c>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x8234c2650 <ns_client_request+0x630>
> at /usr/local/lib/libns-9.20.4.so <http://libns-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x821816c4f <isc__nm_readcb+0xcf> at /
> usr/local/lib/libisc-9.20.4.so <http://libisc-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x82182b30b
> <isc__nm_udp_read_cb+0x21b> at /usr/local/lib/libisc-9.20.4.so <http://
> libisc-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x826b56947
> <uv_tty_get_vterm_state+0x1547> at /usr/local/lib/libuv.so.1
> Dec 18 10:45:31 mail named[3615]: 0x826b58c53 <uv_cpu_info+0xd83> at /
> usr/local/lib/libuv.so.1
> Dec 18 10:45:31 mail named[3615]: 0x826b46dc0 <uv_run+0x1b0> at /usr/
> local/lib/libuv.so.1
> Dec 18 10:45:31 mail named[3615]: 0x8218404d2 <isc_loopmgr_run+0x2f2>
> at /usr/local/lib/libisc-9.20.4.so <http://libisc-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: 0x821851053 <isc_thread_create+0x223>
> at /usr/local/lib/libisc-9.20.4.so <http://libisc-9.20.4.so>
> Dec 18 10:45:31 mail named[3615]: exiting (due to assertion failure)
> >>>SNIP<<<
>
> Our dns configuration is, redacted as well:
> >>>SNIP<<<
> options {
> directory "/usr/local/etc/namedb/working";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
>
> listen-on { PRIMARY_IP; 127.0.0.1; };
>
> disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
> disable-empty-zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
> disable-empty-zone
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
>
> forwarders {
> HOSTING_DNS1_IP;
> HOSTING_DNS2_IP;
> };
>
> forward only;
>
> query-source address *;
>
> notify explicit;
> auth-nxdomain no;
> allow-recursion {
> 127.0.0.1;
> SECONDARY_IP;
> REGISTAR_SECONDARY_QUERY_IP;
> REGISTRAR_SECONDARY_UPDATE_IP;
> };
> allow-recursion-on {
> 127.0.0.1;
> SECONDARY_IP;
> REGISTAR_SECONDARY_QUERY_IP;
> REGISTRAR_SECONDARY_UPDATE_IP;
> };
>
> allow-query-cache { none; };
>
> rate-limit {
> responses-per-second 7;
> exempt-clients {
> 127.0.0.1;
> SECONDARY_IP;
> REGISTAR_SECONDARY_QUERY_IP;
> HOSTING_DNS1_IP;
> HOSTING_DNS2_IP;
> };
> };
>
> dnssec-validation yes;
> rrset-order { order cyclic; };
> version "unknown";
> };
> [...SNIP...]
> dnssec-policy "company" {
> keys {
> ksk lifetime unlimited algorithm RSASHA256 2048;
> zsk lifetime unlimited algorithm RSASHA256 2048;
> };
> nsec3param;
> };
> [...SNIP...]
> zone "dev.example.com <http://dev.example.com>" {
> type primary;
> key-directory "/usr/local/etc/namedb/keys";
> update-policy {
> grant local-ddns zonesub any;
> grant certbot.dev <http://certbot.dev>. wildcard
> *.dev.example.com <http://dev.example.com>. txt;
> grant dev.cname. wildcard *.dev.example.com <http://
> dev.example.com>. cname;
> };
> dnssec-policy "company";
> inline-signing yes;
> file "/usr/local/etc/namedb/primary/dev.example.com <http://
> dev.example.com>";
> allow-query {
> any;
> };
> allow-transfer {
> SECONDARY_IP;
> REGISTRAR_SECONDARY_UPDATE_IP;
> };
> also-notify {
> SECONDARY_IP;
> REGISTRAR_SECONDARY_UPDATE_IP;
> };
> };
> >>>SNIP<<
>
> I can't find what could be wrong in our configuration since it's been
> working for more than 2 years.
> Is there anything to do?
> Should I post this problem as an issue in gitlab?
>
More information about the bind-users
mailing list