<div dir="ltr">
<div>Issue has been created on gitlab.</div><div>It is marked as confidential, and its title is "<span title="Only project members with at least the Reporter role, the author, and assignees can view or be notified about this issue."><span><span></span></span></span>BIND 9.20.4 exiting".</div><div>Everything is detailed there.</div>
</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, Dec 18, 2024 at 2:51 PM Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi Guillaume,<div><br></div><div>thanks for reading the instructions. I’m afraid you’ve hit a bug and filling an issue would be appropriate in this case.</div><div><br></div><div>I also think that Klaus (in Cc) seen similar crash.</div><div><br></div><div>We would appreciate if you can provide coredump and binaries with debug symbols.</div><div><br></div><div>Ondrej<br><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 18. 12. 2024, at 14:00, Guillaume Bibaut <<a href="mailto:guillaume.bibaut@gmail.com" target="_blank">guillaume.bibaut@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">
<div>Hello,</div><div><br></div><div>I'm posting here because it is recommended there</div><div><a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/new" target="_blank">https://gitlab.isc.org/isc-projects/bind9/-/issues/new</a></div><div>to post on this list before posting issues on gitlab.<br></div><div><br></div><div>I'm using bind 9.20 for a professional DNS service in my company (redacted).</div><div>Our DNS services are working fine with version 9.20.2 of BIND.</div><div>Last week-end, we updated the FreeBSD package from 9.20.2 to 9.20.4.</div><div>Today,
as we were using our services just as usual, both our primary and
secondary DNS services exited after some of our CI executed an update on
removing some CNAME used while developing. We are using nsupdate with
some key to update the DNS securely.</div><div>We are using FreeBSD 14.1-RELEASE-p3, and the "latest" packages repository so that our BIND services are always up to date.</div><div>I had to rollback to the previous packages, so from 9.20.4 to 9.20.2.</div><div>Everything was working well before and since we updated to 9.20.2.<br></div><div><br></div><div>FreeBSD latest port and package for bind920:</div><div><a href="https://www.freshports.org/dns/bind920/" target="_blank">https://www.freshports.org/dns/bind920/</a></div><div><br></div><div><a href="https://dnssec-analyzer.verisignlabs.com/" target="_blank">https://dnssec-analyzer.verisignlabs.com/</a> and <a href="https://dnsviz.net/" target="_blank">https://dnsviz.net/</a> both tell that our sub domain <a href="http://dev.example.com" target="_blank">dev.example.com</a> is well configured for DNSSEC (no errors).<br></div><div><br></div><div>Our log looks like this when it exited, I had to redact the log because I do not want company informations to get disclosed.</div><div><br></div><div>>>>SNIP<<<br></div><div>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub1.subsub.dev.example.com" target="_blank">branch.sub1.subsub.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub2.subsub.dev.example.com" target="_blank">branch.sub2.subsub.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub3.subsub.dev.example.com" target="_blank">branch.sub3.subsub.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub1.dev.example.com" target="_blank">branch.sub1.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub3.dev.example.com" target="_blank">branch.sub3.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub4.dev.example.com" target="_blank">branch.sub4.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.fichier.dev.example.com" target="_blank">branch.fichier.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub2.dev.example.com" target="_blank">branch.sub2.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub5.dev.example.com" target="_blank">branch.sub5.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub6.dev.example.com" target="_blank">branch.sub6.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub7.dev.example.com" target="_blank">branch.sub7.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2c0e9c00 62.4.5.16#55188/key dev3.cname: updating zone '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': deleting rrset at '<a href="http://branch.sub8.dev.example.com" target="_blank">branch.sub8.dev.example.com</a>' CNAME<br>Dec 18 10:45:13 mail named[3615]: zone <a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a> (signed): sending notifies (serial 2024095766)<br>Dec 18 10:45:13 mail named[3615]: zone <a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a> (signed): sending notify to SECONDARY_1_IP#53<br>Dec 18 10:45:13 mail named[3615]: zone <a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a> (signed): sending notify to REGISTRAR_SECONDARY_IP#53<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2bd41400 SECONDARY_1_IP#16894 (<a href="http://dev.example.com" target="_blank">dev.example.com</a>): transfer of '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': IXFR started (serial 2024095765 -> 2024095766)<br>Dec 18 10:45:13 mail named[3615]: client @0x17a2bd41400 SECONDARY_1_IP#16894 (<a href="http://dev.example.com" target="_blank">dev.example.com</a>): transfer of '<a href="http://dev.example.com/IN" target="_blank">dev.example.com/IN</a>': IXFR ended: 2 messages, 102 records, 18757 bytes, 0.034 secs (551676 bytes/sec) (serial 2024095766)<br>Dec 18 10:45:13 mail named[3615]: client @0x17a28824c00 SECONDARY_1_IP#64952: received notify for zone '<a href="http://dev.example.com" target="_blank">dev.example.com</a>'<br>Dec 18 10:45:31 mail named[3615]: client @0x17a2cf7c400 172.217.41.209#33339 (<a href="http://BRanCH.sUB1.DeV.ExAmpLE.CoM" target="_blank">BRanCH.sUB1.DeV.ExAmpLE.CoM</a>): expected a exact match NSEC3, got a covering record<br>Dec 18 10:45:31 mail named[3615]: ../../lib/dns/include/dns/name.h:1013: REQUIRE(suffixlabels <= name->labels) failed<br>Dec 18 10:45:31 mail named[3615]: 0x23f15b <main+0x191b> at /usr/local/sbin/named<br>Dec 18 10:45:31 mail named[3615]: 0x82182c66a <isc_assertion_failed+0xa> at /usr/local/lib/<a href="http://libisc-9.20.4.so" target="_blank">libisc-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234d7922 <ns_query_start+0x7ee2> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234de122 <ns_query_start+0xe6e2> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234d3c37 <ns_query_start+0x41f7> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234d1c01 <ns_query_start+0x21c1> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234cd952 <ns_query_done+0x18f2> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234cbe13 <ns__query_start+0x453> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234d04f3 <ns_query_start+0xab3> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234d01f3 <ns_query_start+0x7b3> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234c445c <ns__client_setup+0x1c4c> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x8234c2650 <ns_client_request+0x630> at /usr/local/lib/<a href="http://libns-9.20.4.so" target="_blank">libns-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x821816c4f <isc__nm_readcb+0xcf> at /usr/local/lib/<a href="http://libisc-9.20.4.so" target="_blank">libisc-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x82182b30b <isc__nm_udp_read_cb+0x21b> at /usr/local/lib/<a href="http://libisc-9.20.4.so" target="_blank">libisc-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x826b56947 <uv_tty_get_vterm_state+0x1547> at /usr/local/lib/libuv.so.1<br>Dec 18 10:45:31 mail named[3615]: 0x826b58c53 <uv_cpu_info+0xd83> at /usr/local/lib/libuv.so.1<br>Dec 18 10:45:31 mail named[3615]: 0x826b46dc0 <uv_run+0x1b0> at /usr/local/lib/libuv.so.1<br>Dec 18 10:45:31 mail named[3615]: 0x8218404d2 <isc_loopmgr_run+0x2f2> at /usr/local/lib/<a href="http://libisc-9.20.4.so" target="_blank">libisc-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: 0x821851053 <isc_thread_create+0x223> at /usr/local/lib/<a href="http://libisc-9.20.4.so" target="_blank">libisc-9.20.4.so</a><br>Dec 18 10:45:31 mail named[3615]: exiting (due to assertion failure)</div><div>>>>SNIP<<<<br></div><div><br></div><div>Our dns configuration is, redacted as well:</div><div>>>>SNIP<<<<br></div><div>options {<br> directory "/usr/local/etc/namedb/working";<br> pid-file "/var/run/named/pid";<br> dump-file "/var/dump/named_dump.db";<br> statistics-file "/var/stats/named.stats";<br><br> listen-on { PRIMARY_IP; 127.0.0.1; };</div><div><br> disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";<br> disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";<br> disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";<br><br> forwarders {<br></div><div> HOSTING_DNS1_IP;<br></div><div> HOSTING_DNS2_IP;<br></div><div> };<br><br> forward only;<br><br> query-source address *;<br><br> notify explicit;<br> auth-nxdomain no;<br> allow-recursion {<br> 127.0.0.1;<br></div><div> SECONDARY_IP;<br></div><div> REGISTAR_SECONDARY_QUERY_IP;<br></div><div> REGISTRAR_SECONDARY_UPDATE_IP;<br></div><div> };<br> allow-recursion-on {</div><div> 127.0.0.1;<br>
<div> SECONDARY_IP;<br></div><div> REGISTAR_SECONDARY_QUERY_IP;<br></div><div> REGISTRAR_SECONDARY_UPDATE_IP;<br></div><div></div>
};<br><br> allow-query-cache { none; };<br><br> rate-limit {<br> responses-per-second 7;<br> exempt-clients {<br> 127.0.0.1;<br>
<div> SECONDARY_IP;<br></div><div> REGISTAR_SECONDARY_QUERY_IP;<br></div><div></div>
<div> HOSTING_DNS1_IP;<br></div><div> HOSTING_DNS2_IP;<br></div><div></div>
};<br> };<br><br> dnssec-validation yes;<br> rrset-order { order cyclic; };<br> version "unknown";<br>};</div><div>[...SNIP...]</div><div>dnssec-policy "company" {<br> keys {<br> ksk lifetime unlimited algorithm RSASHA256 2048;<br> zsk lifetime unlimited algorithm RSASHA256 2048;<br> };<br> nsec3param;<br>};</div><div>
[...SNIP...]</div><div>zone "<a href="http://dev.example.com" target="_blank">dev.example.com</a>" {<br> type primary;<br> key-directory "/usr/local/etc/namedb/keys";<br> update-policy {<br> grant local-ddns zonesub any;<br> grant <a href="http://certbot.dev" target="_blank">certbot.dev</a>. wildcard *.<a href="http://dev.example.com" target="_blank">dev.example.com</a>. txt;<br> grant dev.cname. wildcard *.<a href="http://dev.example.com" target="_blank">dev.example.com</a>. cname;<br> };<br> dnssec-policy "company";<br> inline-signing yes;<br> file "/usr/local/etc/namedb/primary/<a href="http://dev.example.com" target="_blank">dev.example.com</a>";<br> allow-query {<br> any;<br> };<br> allow-transfer {<br>
<div> SECONDARY_IP;<br></div><div> REGISTRAR_SECONDARY_UPDATE_IP;<br></div><div></div>
};<br> also-notify {<br>
<div> SECONDARY_IP;<br></div><div> REGISTRAR_SECONDARY_UPDATE_IP;<br></div><div></div>
};<br>};</div><div>
>>>SNIP<< <br></div><div><br></div><div>I can't find what could be wrong in our configuration since it's been working for more than 2 years.</div><div>Is there anything to do?</div><div>Should I post this problem as an issue in gitlab?</div>
</div>
<span>-- </span><br><span>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br></div></blockquote></div></div></blockquote></div>