How to recover from "receive_secure_serial: not exact"?

bind-workers-post at ee.lbl.gov bind-workers-post at ee.lbl.gov
Thu Feb 25 22:07:02 UTC 2021


On 2/25/21 1:26 PM, Mark Andrews wrote:
> Really, I would remove "inline-signing yes;”.  It really isn’t needed when you are doing all the changes by dynamic update.  It is a option for those that can’t/won’t stop editing the zone by hand.

Ouch. We've been using inline-signing for two years and this is the 
first chronic problem it's caused.

Is inline-signing suspect in 9.16.12 (or in general)?

On 2/25/21 1:32 PM, Mark Andrews wrote:
 > The error means that the contents of the signed version of the zone 
where out-of-sync with the unsigned version of the zone (the only 
expected difference may be the serial number).

It it possible to fix this? Looking back I can only find two threads 
about this problem and one doesn't appear to be resolved:

     https://lists.isc.org/pipermail/bind-users/2018-June/100289.html

And the other is really old:

     https://lists.isc.org/pipermail/bind-users/2012-December/089368.html

and the suggested "solution" doesn't work.

		Craig

>> On 26 Feb 2021, at 08:19, bind-workers-post at ee.lbl.gov wrote:
>>
>> We recently upgraded from bind 9.16.11 to 9.16.12 and ended up with corrupt journal files for a couple of zones as described here:
>>
>>     https://seclists.org/oss-sec/2021/q1/169
>>
>> The one that's problematic has frequent ddns updates. At one point we unsigned the zone, deleted everything except the SOA and NS records from the unsigned zone, then resigned the (newly empty) zone, and finally used nsupdate to repopulate it. That worked for awhile but a few hours later we started getting "receive_secure_serial: not exact" errors. Once this error first appears ddns updates to the zone "work" but are not visible via dns requests.
>>
>> What is the procedure for recovering from this situation? The zone config looks similar to this:
>>
>>     zone "example.net" {
>>             type master;
>>             file "dynamic/example.net";
>>             check-names ignore;
>>             auto-dnssec maintain;
>>             dnssec-secure-to-insecure yes;
>>             inline-signing yes;
>>             allow-update {
>>                     key update-key;
>>             };
>>     };
>>
>> Rolling back to 9.16.11 is also an option.
>>
>> 		Craig
>> _______________________________________________
>> bind-workers mailing list
>> bind-workers at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-workers
> 



More information about the bind-workers mailing list