Possible issue with BIND 9.9.0/9.9.1

Spain, Dr. Jeffry A. spainj at countryday.net
Fri Jun 1 02:07:07 UTC 2012


> The "MSG SIZE rcvd" status says it all. Additionally, I'm getting sporadic messages where my inline-signed zones have "No signing records found", including this one, and experiencing crashes when trying to transfer these zones to my secondary.

> I've experienced this on several other zones, forcing me to revert to the "old school" method of signing zones. Has anyone experienced such an issue, and can I supply more information to help identify what is causing this error, and more importantly, how to fix it?

I don't know why this might be happening, but thought it might be helpful if I tried to reproduce it. I built a VM with Ubuntu 12.04 LTS x64 and installed BIND 9.9.1. I used the zone file you provided, generated a set of DNSSEC keys, and used the following rudimentary configuration files:

named.conf:
// Bind 9.9 DNS Server Primary Configuration File

// Add server options to /etc/bind/named.conf.options
// Add authoritative zone configuraiton to /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

// Default Zone Configuration
// Root Hints
// zone "." { type hint; file "/etc/bind/root-hints.db"; };
// Localhost Zones (RFC 1912)
zone "localhost" { type master; file "/etc/bind/localhost.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/bind/127.in-addr.arpa.db"; };
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
 type master; file "/etc/bind/localhost-rev-ipv6.db"; };

named.conf.options:
options {
        directory "/var/cache/bind";
        version none;
        allow-query { any; };
        allow-transfer { any; };
        recursion no;
};

named.conf.local:
zone "m.202.216.in-addr.arpa" in {
        type master;
        file "/var/lib/bind/zones/m.202.216.in-addr.arpa/m.202.216.in-addr.arpa.db";
        key-directory "/var/lib/bind/keys/m.202.216.in-addr.arpa";
        auto-dnssec maintain;
        inline-signing yes;
        notify no;
};

dig @localhost m.202.216.in-addr.arpa TYPE65400 +dnssec +multi returns correct data:
; <<>> DiG 9.9.1 <<>> @localhost m.202.216.in-addr.arpa TYPE65400 +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11285
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;m.202.216.in-addr.arpa.        IN TYPE65400

;; ANSWER SECTION:
m.202.216.in-addr.arpa. 86400 IN TYPE65400 \# 0
m.202.216.in-addr.arpa. 86400 IN RRSIG TYPE65400 7 5 86400 (
                                20120701004858 20120601002751 59000 m.202.216.in-addr.arpa.
                                hBNMG6vMBeZek/Ua1rlmVoXXdelft/ZFFUMqcSZmTCYU
                                HHs2Nne9uGBgskwal9hY6f6sGD3vm5ee+LuWUYyRH/ey
                                +bkwLZRfdW3Y5ZVEnaVeDKLAE1iv57TgPeNXFDRB5Ucr
                                S2IQXFt3baG06x4nmJ1c/ETaaE88CILaC1Cr7lo= )

;; AUTHORITY SECTION:
m.202.216.in-addr.arpa. 86400 IN NS dnssec2.Level3.net.
m.202.216.in-addr.arpa. 86400 IN NS dnssec1.Level3.net.
m.202.216.in-addr.arpa. 86400 IN RRSIG NS 7 5 86400 (
                                20120701004858 20120601002751 59000 m.202.216.in-addr.arpa.
                                VVR3zmGgfVHU+0HT6Dj331NqJcS9SXqEPCezfO2fAgPT
                                8fP5+6JcBGcItgT1P56z3h88rm0MMHiYdapqK5sbzFrm
                                ngn02bS5PnE3V5W1hK/ZeVeQ82H7uBczkdNDHEfi8JVv
                                i3icaTQtz1VUVDyHevnLBe+z7lLWEr4yByO8Thg= )

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 31 21:40:23 2012
;; MSG SIZE  rcvd: 481

I did get an error with named-checkzone:
# named-checkzone -D -f raw -F text -j -o m.202.216.in-addr.arpa.db.dumped m.202.216.in-addr.arpa /var/lib/bind/zones/m.202.216.in-addr.arpa/m.202.216.in-addr.arpa.db.signed
zone m.202.216.in-addr.arpa/IN: loaded serial 2012052203 (DNSSEC signed)
OK
*** glibc detected *** named-checkzone: free(): invalid pointer: 0x00007f89258e1088 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f8924bb1626]
/usr/lib/libisc.so.90(+0x1ac3a)[0x7f8924f0ac3a]
/usr/lib/libisc.so.90(isc___mem_put+0x7c)[0x7f8924f0c6cc]
/usr/lib/libdns.so.93(+0x83c36)[0x7f89251c8c36]
/usr/lib/libdns.so.93(dns_rbt_destroy2+0x77)[0x7f89251bbbc7]
/usr/lib/libdns.so.93(+0x7f09a)[0x7f89251c409a]
/usr/lib/libdns.so.93(+0x7f9b2)[0x7f89251c49b2]
/usr/lib/libdns.so.93(+0x8a300)[0x7f89251cf300]
/usr/lib/libdns.so.93(dns_db_detach+0x20)[0x7f892517dbe0]
/usr/lib/libdns.so.93(+0x11f16c)[0x7f892526416c]
/usr/lib/libdns.so.93(dns_zone_detach+0x129)[0x7f892526ca29]
named-checkzone[0x402b36]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f8924b5476d]
named-checkzone[0x4030c5]
======= Memory map: ========
00400000-00406000 r-xp 00000000 fc:00 280337                             /usr/sbin/named-checkzone
00605000-00606000 r--p 00005000 fc:00 280337                             /usr/sbin/named-checkzone
00606000-00607000 rw-p 00006000 fc:00 280337                             /usr/sbin/named-checkzone
01473000-014b7000 rw-p 00000000 00:00 0                                  [heap]
7f8923f1d000-7f8923f32000 r-xp 00000000 fc:00 784940                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8923f32000-7f8924131000 ---p 00015000 fc:00 784940                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8924131000-7f8924132000 r--p 00014000 fc:00 784940                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8924132000-7f8924133000 rw-p 00015000 fc:00 784940                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8924133000-7f8924149000 r-xp 00000000 fc:00 785124                     /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f8924149000-7f8924348000 ---p 00016000 fc:00 785124                     /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f8924348000-7f8924349000 r--p 00015000 fc:00 785124                     /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f8924349000-7f892434a000 rw-p 00016000 fc:00 785124                     /lib/x86_64-linux-gnu/libz.so.1.2.3.4
7f892434a000-7f892434c000 r-xp 00000000 fc:00 784934                     /lib/x86_64-linux-gnu/libdl-2.15.so
7f892434c000-7f892454c000 ---p 00002000 fc:00 784934                     /lib/x86_64-linux-gnu/libdl-2.15.so
7f892454c000-7f892454d000 r--p 00002000 fc:00 784934                     /lib/x86_64-linux-gnu/libdl-2.15.so
7f892454d000-7f892454e000 rw-p 00003000 fc:00 784934                     /lib/x86_64-linux-gnu/libdl-2.15.so
7f892454e000-7f8924566000 r-xp 00000000 fc:00 784938                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7f8924566000-7f8924765000 ---p 00018000 fc:00 784938                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7f8924765000-7f8924766000 r--p 00017000 fc:00 784938                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7f8924766000-7f8924767000 rw-p 00018000 fc:00 784938                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7f8924767000-7f892476b000 rw-p 00000000 00:00 0 
7f892476b000-7f892490a000 r-xp 00000000 fc:00 788979                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f892490a000-7f8924b09000 ---p 0019f000 fc:00 788979                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8924b09000-7f8924b24000 r--p 0019e000 fc:00 788979                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8924b24000-7f8924b2f000 rw-p 001b9000 fc:00 788979                     /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7f8924b2f000-7f8924b33000 rw-p 00000000 00:00 0 
7f8924b33000-7f8924ce6000 r-xp 00000000 fc:00 784914                     /lib/x86_64-linux-gnu/libc-2.15.so
7f8924ce6000-7f8924ee5000 ---p 001b3000 fc:00 784914                     /lib/x86_64-linux-gnu/libc-2.15.so
7f8924ee5000-7f8924ee9000 r--p 001b2000 fc:00 784914                     /lib/x86_64-linux-gnu/libc-2.15.so
7f8924ee9000-7f8924eeb000 rw-p 001b6000 fc:00 784914                     /lib/x86_64-linux-gnu/libc-2.15.so
7f8924eeb000-7f8924ef0000 rw-p 00000000 00:00 0 
7f8924ef0000-7f8924f44000 r-xp 00000000 fc:00 280252                     /usr/lib/libisc.so.90.1.1
7f8924f44000-7f8925143000 ---p 00054000 fc:00 280252                     /usr/lib/libisc.so.90.1.1
7f8925143000-7f8925144000 r--p 00053000 fc:00 280252                     /usr/lib/libisc.so.90.1.1
7f8925144000-7f8925145000 rw-p 00054000 fc:00 280252                     /usr/lib/libisc.so.90.1.1
7f8925145000-7f89252cf000 r-xp 00000000 fc:00 280261                     /usr/lib/libdns.so.93.1.1
7f89252cf000-7f89254ce000 ---p 0018a000 fc:00 280261                     /usr/lib/libdns.so.93.1.1
7f89254ce000-7f89254cf000 r--p 00189000 fc:00 280261                     /usr/lib/libdns.so.93.1.1
7f89254cf000-7f89254d4000 rw-p 0018a000 fc:00 280261                     /usr/lib/libdns.so.93.1.1
7f89254d4000-7f89254ee000 r-xp 00000000 fc:00 280266                     /usr/lib/libisccfg.so.90.0.1
7f89254ee000-7f89256ed000 ---p 0001a000 fc:00 280266                     /usr/lib/libisccfg.so.90.0.1
7f89256ed000-7f89256ee000 r--p 00019000 fc:00 280266                     /usr/lib/libisccfg.so.90.0.1
7f89256ee000-7f89256f4000 rw-p 0001a000 fc:00 280266                     /usr/lib/libisccfg.so.90.0.1
7f89256f4000-7f89256f5000 rw-p 00000000 00:00 0 
7f89256f5000-7f8925717000 r-xp 00000000 fc:00 784918                     /lib/x86_64-linux-gnu/ld-2.15.so
7f89258ca000-7f8925910000 rw-p 00000000 00:00 0 
7f8925913000-7f8925917000 rw-p 00000000 00:00 0 
7f8925917000-7f8925918000 r--p 00022000 fc:00 784918                     /lib/x86_64-linux-gnu/ld-2.15.so
7f8925918000-7f892591a000 rw-p 00023000 fc:00 784918                     /lib/x86_64-linux-gnu/ld-2.15.so
7fff30603000-7fff30624000 rw-p 00000000 00:00 0                          [stack]
7fff306b0000-7fff306b1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Looking at the output file m.202.216.in-addr.arpa.db.dumped, the data field for the TYPE65400 record contains a large amount of garbage after "\#". See the attached file. This seems related to your results with dig, but I can't speculate as to how. Hopefully members of the developer group will comment. I'd be happy to do further testing if anyone suggests a direction for such.
	
Best regards, Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
6905 Given Road, Cincinnati, OH 45243-2898, USA
Phone +1 (513) 979-0299; Fax +1 (513) 527-7632 (UTC-4)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: m.202.216.in-addr.arpa.db.dumped
Type: application/octet-stream
Size: 104010 bytes
Desc: m.202.216.in-addr.arpa.db.dumped
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20120601/d4092ef7/attachment-0001.obj>


More information about the bind-workers mailing list