<div dir="ltr">> This should be the right workaround at this moment, so I wonder why it didn’t work.<div><br></div><div>It seems like it does after all, I messed up my checks. Thanks.</div><div><br></div><div>However our procedure runs named-checkconf before restarting named, and no error is brought up when running it, I'm guessing this should be mentioned that the use of master/slave [in this specific option] is obsolete?</div><div><br></div><div>Should I also anticipate moving all of the master/slave options from the zone configuration asap?</div><div><br></div><div>Thanks,</div><div><br></div><div>Thibaud<br><div class="gmail-yj6qo gmail-ajU" style="outline:none;padding:10px 0px;width:22px;margin:2px 0px 0px"><br class="gmail-Apple-interchange-newline"></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 23 sept. 2021 à 14:41, Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Thib,<br>
<br>
thanks, this is much better and I can now safely say, this has been already reported and tracked as <a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/2911" rel="noreferrer" target="_blank">https://gitlab.isc.org/isc-projects/bind9/-/issues/2911</a><br>
<br>
The only thing weird is:<br>
<br>
> Then, I tried switching from<br>
> check-names master warn;<br>
> to<br>
> check-names primary warn;<br>
<br>
<br>
This should be the right workaround at this moment, so I wonder why it didn’t work.<br>
<br>
Ondrej<br>
--<br>
Ondřej Surý (He/Him)<br>
<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a><br>
<br>
> On 23. 9. 2021, at 13:51, Thib D <<a href="mailto:thibmac0241@gmail.com" target="_blank">thibmac0241@gmail.com</a>> wrote:<br>
> <br>
> Hi Ondrej, <br>
> <br>
> Thanks for your reply,<br>
> <br>
> I'm afraid I am unable to share any more detail regarding the zone content because it's customer data. I will use <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> and try to make the most sense out of the issue.<br>
> <br>
> Our upgrading procedure is to recompile the binaries provided in <a href="https://ftp.isc.org/isc/bind9/9.16.21/bind-9.16.21.tar.xz" rel="noreferrer" target="_blank">https://ftp.isc.org/isc/bind9/9.16.21/bind-9.16.21.tar.xz</a> , named is compiled on a Debian Buster OS here. <br>
> After the successful compilation, named is restarted (systemd service).<br>
> <br>
> After zones are loaded, a few errors can be seen on zones with these check-names error<br>
> Sep 23 10:42:07 primary-host named[22788]: general: dbase/m/com/s/<a href="http://named.example.com:36" rel="noreferrer" target="_blank">named.example.com:36</a>: *._sip._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> Sep 23 10:42:07 primary-host named[22788]: zoneload: zone <a href="http://example.com/IN" rel="noreferrer" target="_blank">example.com/IN</a>: loading from master file dbase/m/com/e/<a href="http://named.example.com" rel="noreferrer" target="_blank">named.example.com</a> failed: bad owner name (check-names)<br>
> Sep 23 10:42:07 primary-host named[22788]: zoneload: zone <a href="http://example.com/IN" rel="noreferrer" target="_blank">example.com/IN</a>: not loaded due to errors.<br>
> <br>
> This causes our server to answer SERVFAIL for a few of the affected zones.<br>
> <br>
> At line 36 of the zonefile of <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>, there is this record (under <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> origin) :<br>
> <br>
> *._sip._tls A 12.34.56.78<br>
> <br>
> On the secondary server hosting that same zone, I am not seeing any unusual behaviour after 9.16.21 upgrade:<br>
> <br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:20" rel="noreferrer" target="_blank">named.example.com:20</a>: _<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a>: bad owner name (check-names)<br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:22" rel="noreferrer" target="_blank">named.example.com:22</a>: *._<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a>: bad owner name (check-names)<br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:25" rel="noreferrer" target="_blank">named.example.com:25</a>: *._sipfederationtls._<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a>: bad owner name (check-names)<br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:27" rel="noreferrer" target="_blank">named.example.com:27</a>: _<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:29" rel="noreferrer" target="_blank">named.example.com:29</a>: *._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> Sep 22 10:53:13 secondary-host named[14330]: general: dbase/s/com/e/<a href="http://named.example.com:32" rel="noreferrer" target="_blank">named.example.com:32</a>: *._sip._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> <br>
> Note that the content of the zone is a bit different, since AXFR does alter the zone format a little bit (both version "read" the same though (?))<br>
> $ORIGIN _sip._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a><br>
> * A 12.34.56.78<br>
> <br>
> I guess this is a wrong kind of record here,but fine, since I'm not able to fix these, I'm using the option I mentioned earlier :<br>
> <br>
> check-names master warn;<br>
> <br>
> After seeing this the first time, I decided to rollback to 9.16.20 following the same procedure, which is first compile then restart with systemd. <br>
> After loading all the zones we can see that the "loading from master file dbase/m/com/e/<a href="http://named.example.com" rel="noreferrer" target="_blank">named.example.com</a> failed" is gone and the zone loaded, just like on secondary-host:<br>
> <br>
> Sep 23 10:42:35 primary-host named[22788]: general: dbase/m/com/s/<a href="http://named.example.com:36" rel="noreferrer" target="_blank">named.example.com:36</a>: *._sip._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> Sep 23 10:42:35 primary-host named[24110]: general: dbase/m/com/s/<a href="http://named.example.com:38" rel="noreferrer" target="_blank">named.example.com:38</a>: *._<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a>: bad owner name (check-names)<br>
> Sep 23 10:42:35 primary-host named[24110]: general: dbase/m/com/s/<a href="http://named.example.com:39" rel="noreferrer" target="_blank">named.example.com:39</a>: *._<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> Sep 23 10:42:35 primary-host named[24110]: general: dbase/m/com/s/<a href="http://named.example.com:51" rel="noreferrer" target="_blank">named.example.com:51</a>: _<a href="http://tcp.example.com" rel="noreferrer" target="_blank">tcp.example.com</a>: bad owner name (check-names)<br>
> Sep 23 10:42:35 primary-host named[24110]: general: dbase/m/com/s/<a href="http://named.example.com:52" rel="noreferrer" target="_blank">named.example.com:52</a>: _<a href="http://tls.example.com" rel="noreferrer" target="_blank">tls.example.com</a>: bad owner name (check-names)<br>
> <br>
> First thing I had in mind was to double check the changelog to see if I misunderstood anything. <br>
> <br>
> Then, I tried switching from<br>
> check-names master warn;<br>
> to<br>
> check-names primary warn;<br>
> or<br>
> check-names master ignore; <br>
> <br>
> but nothing changed.<br>
> <br>
> Hope that helps, even with the anonymized data. I understand running zones configured like this is not quite recommended, but that's a different topic.<br>
> I will update this mail thread if I find anything else worth mentioning.<br>
> <br>
> Regards,<br>
> Thibaud<br>
> <br>
> <br>
> <br>
> Le jeu. 23 sept. 2021 à 11:47, Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a>> a écrit :<br>
> Hi,<br>
> <br>
> we cannot really help you if anonymize everything and don’t provide any details at all.<br>
> <br>
> Ondrej<br>
> --<br>
> Ondřej Surý (He/Him)<br>
> <a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a><br>
> <br>
> > On 23. 9. 2021, at 10:54, Thib D <<a href="mailto:thibmac0241@gmail.com" target="_blank">thibmac0241@gmail.com</a>> wrote:<br>
> > <br>
> > Hello,<br>
> > <br>
> > I am currently rolling the 9.16.21 on a few bind servers. Most of the servers rolled the update correctly except for one in particular (this is a primary server of 2 other secondaries).<br>
> > <br>
> > Here is the issue logged<br>
> > <br>
> > Sep 23 10:42:07 host named[22788]: zoneload: zone [...]/IN: loading from master file [...] failed: bad owner name (check-names)<br>
> > Sep 23 10:42:07 host named[22788]: zoneload: zone [...]/IN: loading from master file [...] failed: bad owner name (check-names)<br>
> > <br>
> > I am aware of the issues with these zone configuration, this is why my named.conf has this parameter, which I believe is useful to tell named to keep loading the affected zone and log an issue, am I correct ?<br>
> > <br>
> > check-names master warn;<br>
> > <br>
> > Correct me if I'm wrong the 9.16.21 CHANGES do not mention any change on this behaviour ? More surprisingly, it's only affecting one particular server, one with a pretty similar config than the others on the zone load policies.<br>
> > <br>
> > Did I miss something in the changelog here ? <br>
> > <br>
> > Thanks !<br>
> > <br>
> > <br>
> > _______________________________________________<br>
> > Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
> > <br>
> > ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
> > <br>
> > <br>
> > bind-users mailing list<br>
> > <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
> > <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> <br>
<br>
</blockquote></div>