auto-dnssec maintain fails on 9.7.0-RC1

Thu Jan 14 15:17:01 UTC 2010

While trying to test the auto-dnssec maintain functionality, I notice Bind
9.7.0-RC1 exits with an assertion error. I built Bind 9.7.0-RC1 on Fedora 12
w/ all the latest patches/fixes etc...

The zone block of my test zone in named.conf looks like this:

zone "example.net" {
        auto-dnssec maintain;
        type master;
        update-policy local;
        file "dynamic/example.net/example.net";
        key-directory "dynamic/example.net";
};

The /var/named/dynamic/example.net directory with newly generated keys and
unsigned zone file is as follows:
[root at test5 example.net]# ls -lt
total 20
-rw-r--r-- 1 named named  338 2010-01-13 14:54 example.net
-rw-r--r-- 1 named named  661 2010-01-12 22:08 Kexample.net.+005+19261.key
-rw------- 1 named named 1846 2010-01-12 22:08
Kexample.net.+005+19261.private
-rw-r--r-- 1 named named  380 2010-01-12 22:07 Kexample.net.+005+58161.key
-rw------- 1 named named 1010 2010-01-12 22:07
Kexample.net.+005+58161.private

When I start the name service, it dies silently.  But, a jnl file is
created. The zonefile is still unsigned, and named is not running.  

The dnssec log file contains the following:
13-Jan-2010 15:09:17.258 general: debug 1: zone_timer: zone example.net/IN:
enter
13-Jan-2010 15:09:17.259 general: debug 1: zone_maintenance: zone
example.net/IN: enter
13-Jan-2010 15:09:17.259 general: info: zone example.net/IN: reconfiguring
zone keys
13-Jan-2010 15:09:17.259 general: debug 1: Fetching KSK 19261/RSASHA1 from
key repository.
13-Jan-2010 15:09:17.260 general: debug 1: Fetching ZSK 58161/RSASHA1 from
key repository.
13-Jan-2010 15:09:17.284 general: debug 1: zone_journal: zone
example.net/IN: enter
13-Jan-2010 15:09:17.287 general: debug 1: journal file
dynamic/example.net/example.net.jnl does not exist, creating it
13-Jan-2010 15:09:17.287 general: debug 3: writing to journal
13-Jan-2010 15:09:17.290 general: debug 1: zone_settimer: zone
example.net/IN: enter
13-Jan-2010 15:09:17.290 general: debug 1: zone_settimer: zone
example.net/IN: enter
13-Jan-2010 15:09:17.290 general: critical: time.c:241:
INSIST(t1->nanoseconds < 1000000000 && t2->nanoseconds < 1000000000) failed,
back trace
13-Jan-2010 15:09:17.290 general: critical: #0 0x805aca9 in
assertion_failed()+0x49
13-Jan-2010 15:09:17.290 general: critical: #1 0x81b6ad7 in
isc_assertion_failed()+0x27
13-Jan-2010 15:09:17.290 general: critical: #2 0x81e9180 in
isc_time_compare()+0x80
13-Jan-2010 15:09:17.291 general: critical: #3 0x816c0cf in
zone_settimer()+0x19f
13-Jan-2010 15:09:17.291 general: critical: #4 0x818c743 in
zone_rekey()+0xa03
13-Jan-2010 15:09:17.291 general: critical: #5 0x818c9d4 in
dns_zone_rekey()+0x44
13-Jan-2010 15:09:17.291 general: critical: #6 0x818d004 in
zone_timer()+0x564
13-Jan-2010 15:09:17.291 general: critical: #7 0x81d474e in run()+0x19e
13-Jan-2010 15:09:17.291 general: critical: #8 0x312ab5 in ??
13-Jan-2010 15:09:17.291 general: critical: #9 0x58683e in ??
13-Jan-2010 15:09:17.291 general: critical: exiting (due to assertion
failure)

Has anyone seen this issue? Is there a bug on this? Or is there something I
can try to troubleshoot this?

When auto-dnssec allow is used, I have no problems signing the zone with
rndc sign <zone> command. 

Please advise

Thanks!

Patrick H. Piper
NETLINX, Inc.
ppiper at netlinxinc.com
www.netlinxinc.com
435-649-3367 (office)    |    980-721-7694 (cell)