BIND 9.11.1-P3 revives expired zones briefly during reconfig

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BIND 9.11.1-P3 revives expired zones briefly during reconfig

Anand Buddhdev
Hello BIND developers,

I've updated from BIND 9.10 to 9.11, and noticed the following happening
whenever "rndc reconfig" is run:

05-Aug-2017 11:11:42.066 general: received control channel command
'reconfig'
05-Aug-2017 11:11:42.066 general: loading configuration from
'/etc/named/named.conf'
...
...
05-Aug-2017 11:11:42.525 general: zone 116.195.in-addr.arpa/IN/main:
loaded serial 2017020301
05-Aug-2017 11:11:42.525 general: zone 116.195.in-addr.arpa/IN/main: expired
05-Aug-2017 11:11:42.533 general: zone egouv.ci/IN/main: loaded serial
2017062009
05-Aug-2017 11:11:42.606 general: zone 232.128.in-addr.arpa/IN/main:
loaded serial 2017071557 (DNSSEC signed)
05-Aug-2017 11:11:42.638 general: zone 43.137.in-addr.arpa/IN/main:
loaded serial 2017071100
05-Aug-2017 11:11:42.638 general: zone 43.137.in-addr.arpa/IN/main: expired
05-Aug-2017 11:11:42.639 general: any newly configured zones are now loaded
05-Aug-2017 11:11:42.639 general: zone egouv.ci/IN/main: expired
05-Aug-2017 11:11:42.646 general: zone 232.128.in-addr.arpa/IN/main: expired
05-Aug-2017 11:11:42.659 general: running

For a moment, BIND loads expired zones, and even answers queries for
them, and then sets their state back to expired. This didn't happen on
9.10, but has been happening on 9.11. Is there a reason this behaviour
has changed?

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

taras.kramarets
Hello i'm not working in this company anymore !

please write to Volia support
 
Здравствуйте ! я уже больше не работаю в данной компании пожалуйста пишите в поддержку компании Воля
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

Mukund Sivaraman
In reply to this post by Anand Buddhdev
Hi Anand

On Sun, Aug 06, 2017 at 09:30:01AM +0200, Anand Buddhdev wrote:

> Hello BIND developers,
>
> I've updated from BIND 9.10 to 9.11, and noticed the following happening
> whenever "rndc reconfig" is run:
>
> 05-Aug-2017 11:11:42.066 general: received control channel command
> 'reconfig'
> 05-Aug-2017 11:11:42.066 general: loading configuration from
> '/etc/named/named.conf'
> ...
> ...
> 05-Aug-2017 11:11:42.525 general: zone 116.195.in-addr.arpa/IN/main:
> loaded serial 2017020301
> 05-Aug-2017 11:11:42.525 general: zone 116.195.in-addr.arpa/IN/main: expired
> 05-Aug-2017 11:11:42.533 general: zone egouv.ci/IN/main: loaded serial
> 2017062009
> 05-Aug-2017 11:11:42.606 general: zone 232.128.in-addr.arpa/IN/main:
> loaded serial 2017071557 (DNSSEC signed)
> 05-Aug-2017 11:11:42.638 general: zone 43.137.in-addr.arpa/IN/main:
> loaded serial 2017071100
> 05-Aug-2017 11:11:42.638 general: zone 43.137.in-addr.arpa/IN/main: expired
> 05-Aug-2017 11:11:42.639 general: any newly configured zones are now loaded
> 05-Aug-2017 11:11:42.639 general: zone egouv.ci/IN/main: expired
> 05-Aug-2017 11:11:42.646 general: zone 232.128.in-addr.arpa/IN/main: expired
> 05-Aug-2017 11:11:42.659 general: running
>
> For a moment, BIND loads expired zones, and even answers queries for
> them, and then sets their state back to expired. This didn't happen on
> 9.10, but has been happening on 9.11. Is there a reason this behaviour
> has changed?

Which exact version of 9.11 is this? Is their master NSD or some 3rd
party signer? Can you create a bug ticket with your named config
(named-checkconf -px) ?

                Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

Anand Buddhdev
On 06/08/2017 13:49, Mukund Sivaraman wrote:

Hi Mukund,

> Which exact version of 9.11 is this? Is their master NSD or some 3rd
> party signer? Can you create a bug ticket with your named config
> (named-checkconf -px) ?

As I wrote in the subject, it's BIND 9.11.1-P3. The masters of these
name servers are unknown, but I can attempt to probe them with
ch/txt/version.bind queries to try and find out.

Will the bug report be publicly viewable?

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

taras.kramarets
In reply to this post by Anand Buddhdev
Hello i'm not working in this company anymore !

please write to Volia support
 
Здравствуйте ! я уже больше не работаю в данной компании пожалуйста пишите в поддержку компании Воля
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BIND 9.11.1-P3 revives expired zones briefly during reconfig

Mukund Sivaraman
In reply to this post by Anand Buddhdev
On Sun, Aug 06, 2017 at 08:07:51PM +0200, Anand Buddhdev wrote:
> On 06/08/2017 13:49, Mukund Sivaraman wrote:
>
> Hi Mukund,
>
> > Which exact version of 9.11 is this? Is their master NSD or some 3rd
> > party signer? Can you create a bug ticket with your named config
> > (named-checkconf -px) ?
>
> As I wrote in the subject, it's BIND 9.11.1-P3. The masters of these

Sorry Anand, I missed that :)

> name servers are unknown, but I can attempt to probe them with
> ch/txt/version.bind queries to try and find out.

I wonder if the zones on the slaves expired because the slave was not
able to XFR them. After the recent TSIG CVE, for about a week, we had a
(non-security) bug in BIND due to which named didn't correctly validate
a kind of TSIG signed AXFR/IXFR (specifically BIND as slave receiving
from NSD as master was affected by the bug - due to BIND's fault). It
was fixed soon after in another patch release.

9.11.1-P3 has the fix for this, but I wonder if the older 9.10 release
that you were running had this bug that prevented successful transfers
of the slave zones that caused them to expire, which cause them to be
unloaded on startup.

Or there could be some other reason. :)

> Will the bug report be publicly viewable?

You can send it to [hidden email].

                Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...