How to recover from "receive_secure_serial: not exact"?

bind-workers-post at ee.lbl.gov bind-workers-post at ee.lbl.gov
Thu Feb 25 21:19:12 UTC 2021


We recently upgraded from bind 9.16.11 to 9.16.12 and ended up with 
corrupt journal files for a couple of zones as described here:

     https://seclists.org/oss-sec/2021/q1/169

The one that's problematic has frequent ddns updates. At one point we 
unsigned the zone, deleted everything except the SOA and NS records from 
the unsigned zone, then resigned the (newly empty) zone, and finally 
used nsupdate to repopulate it. That worked for awhile but a few hours 
later we started getting "receive_secure_serial: not exact" errors. Once 
this error first appears ddns updates to the zone "work" but are not 
visible via dns requests.

What is the procedure for recovering from this situation? The zone 
config looks similar to this:

     zone "example.net" {
             type master;
             file "dynamic/example.net";
             check-names ignore;
             auto-dnssec maintain;
             dnssec-secure-to-insecure yes;
             inline-signing yes;
             allow-update {
                     key update-key;
             };
     };

Rolling back to 9.16.11 is also an option.

		Craig


More information about the bind-workers mailing list