Package: bind9 Version: 1:9.7.3.dfsg-1~squeeze6, 1:9.8.1.dfsg.P1-4.1 Severity: important
Hello,
When reloading or restarting the bind9, if one of the zone files
contains errors bind9 won't complain and the error will go unnoticed.
The worst part is that if the bind9 server is restarted it will stop replying to
queries for this zone until someone fixes the error on the zone file and
restarts the server.
There is no other way than to inspect the syslog to know that bind9 is
refusing to load the zone file that contains errors.
See the following example test case:
$ cat /etc/bind/db.forxa
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1
@ IN MX 10 listas
@ IN A 85.91.64.183
ns1 IN A 127.0.0.1
* IN MX 5 listas
listas IN A 85.91.64.136
* IN A 85.91.64.183
$ cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "test.org" {
type master;
file "/etc/bind/db.forxa";
};
$ dig +short listas.test.org @127.0.0.1
85.91.64.136
Now introduce some error on the zone file:
$ sed "s/listas\t\tIN/listas\t\tUN/" -i db.forxa
And reload the server:
$ service bind9 reload
[ ok ] Reloading domain name service...: bind9.
$ echo $?
0
Check the syslog:
Aug 6 11:54:31 trinity named[31626]: received control channel command 'reload'
Aug 6 11:54:31 trinity named[31626]: loading configuration from
'/etc/bind/named.conf'
Aug 6 11:54:31 trinity named[31626]: reading built-in trusted keys from file
'/etc/bind/bind.keys'
Aug 6 11:54:31 trinity named[31626]: using default UDP/IPv4 port range: [1024,
65535]
Aug 6 11:54:31 trinity named[31626]: using default UDP/IPv6 port range: [1024,
65535]
Aug 6 11:54:31 trinity named[31626]: sizing zone task pool based on 9 zones
Aug 6 11:54:31 trinity named[31626]: using built-in root key for view _default
Aug 6 11:54:31 trinity named[31626]: Warning:
'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 6 11:54:31 trinity named[31626]: reloading configuration succeeded
Aug 6 11:54:31 trinity named[31626]: /etc/bind/db.forxa:14: unknown RR type
'UN'
Aug 6 11:54:31 trinity named[31626]: zone mancomun.org/IN: loading from master
file /etc/bind/db.forxa failed: unknown class/type
Aug 6 11:54:31 trinity named[31626]: zone mancomun.org/IN: not loaded due to
errors.
Aug 6 11:54:31 trinity named[31626]: reloading zones succeeded
Restart bind9:
$ service bind9 restart
[....] Stopping domain name service...: bind9waiting for pid 25326 to die
. ok
[ ok ] Starting domain name service...: bind9.
$ echo $?
0
No error. Try to query it:
$ dig +short listas.test.org @127.0.0.1
No reply.
The same problem is found on squeeze (bind9=1:9.7.3.dfsg-1~squeeze6)
and Wheezy (bind9=1:9.8.1.dfsg.P1-4.1)
IMHO the init script for bind9 should, at least, print a warning when one of the
zone files contains errors.
Thanks!
signature.asc
Description: OpenPGP digital signature
