How to recover from "receive_secure_serial: not exact"?
bind-workers-post at ee.lbl.gov
bind-workers-post at ee.lbl.gov
Thu Feb 25 21:19:12 UTC 2021
We recently upgraded from bind 9.16.11 to 9.16.12 and ended up with
corrupt journal files for a couple of zones as described here:
https://seclists.org/oss-sec/2021/q1/169
The one that's problematic has frequent ddns updates. At one point we
unsigned the zone, deleted everything except the SOA and NS records from
the unsigned zone, then resigned the (newly empty) zone, and finally
used nsupdate to repopulate it. That worked for awhile but a few hours
later we started getting "receive_secure_serial: not exact" errors. Once
this error first appears ddns updates to the zone "work" but are not
visible via dns requests.
What is the procedure for recovering from this situation? The zone
config looks similar to this:
zone "example.net" {
type master;
file "dynamic/example.net";
check-names ignore;
auto-dnssec maintain;
dnssec-secure-to-insecure yes;
inline-signing yes;
allow-update {
key update-key;
};
};
Rolling back to 9.16.11 is also an option.
Craig
More information about the bind-workers
mailing list