Package: bind9-dyndb-ldap Version: 10.1-1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
After configuring a basic setup with bind9-dyndb-ldap, I tried enabling DNSSEC inline signing. It does seem to work, but only sporadically. Most of the time, most zones fail to be signed with the following errors in the logs: Mar 7 06:33:53 shore named[19793]: zone koenig-moderig.de/IN (signed): reconfiguring zone keys Mar 7 06:33:53 shore named[19793]: malformed transaction: dyndb-ldap/naturalnet/master/koenig-moderig.de/signed.jnl last serial 1488398609 != transaction first serial 1488398610 Mar 7 06:33:53 shore named[19793]: zone koenig-moderig.de/IN (signed): zone_rekey:dns_journal_write_transaction -> unexpected error It seems like BIND cannot write the journal, but there is no permission issue or anything else. In fact, a few minutes later, BIND might sign the zone just fine. I even used strace to trace anything happening to the journal, and in the case where the above error is produced, I see BIND happily opening, writing and closing signed.jnl. There seems to be a known issue with BIND hitting this issue in a few corner cases, mostly “fixed” by restarting BIND, but this simple solution does not work here. - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9-dyndb-ldap depends on: ii bind9 1:9.10.3.dfsg.P4-12 ii libc6 2.24-9 ii libdns162 1:9.10.3.dfsg.P4-12 ii libisc160 1:9.10.3.dfsg.P4-12 ii libkrb5-3 1.15-1 ii libldap-2.4-2 2.4.44+dfsg-3 ii libuuid1 2.29.1-1 bind9-dyndb-ldap recommends no packages. bind9-dyndb-ldap suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAli/O/UxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pYd3Q//QaCbewR5b4TNDllntitPBeLzswJ1 FuZ41+QIebPUQoknSd9dQXHgvunXxm8x1zkilAv9bVHozwbL6q6Iz48pGuaTwgbG OmVCnAzUpuG55k26xOw+07IYLgx2smPMjzrjYOH1Tbmgafas0nbucqyFn37JdYg2 EFHp2Nac+Ui83zFeZiybV+2mZDR2zx1HV9SFa9IRQFjS4jGz6Evtur9mfV4vFBPx ++zgdafrtgnF1udD4bZ6j+OrmN9mmu0L0Bn7L8mOZVsDmq+Ki3crvPdoqInTjMK2 pTrQ0zKPzlrxTt1RayMXFHdJwj4hLyCd20eWwUTQTovrI1gW3fLbL2VmT8UQkJqU Qj24j78jKG75Ri7wuo+hHRwNBqgt/FOLwC6kxFCg6vElZDnvL9RrHlQCkXR4U2hD v8d78OtHrOFVNgqD67/83dZcYEPARwT4zeKXUcPO1UDparjn5Kf4bBwaj7GaS2uS pH6XsyDN+ZfTHo9jPW494oFIJZsgZgDSKhFRjA+SCLJ2D42nwMR8nkBYz/R29PMS rYI1x9mRZLAsoQBJfEHvBxR676F39TjNvweGhYVVnbG1EHeFotJaNoUqbeJgDznr WW8WSKgMoyTbtMebxdm0Hxk3paZ9WXNp2H8ntHRy46DyORfEJ3F/K7Hop9H+POfk o76PlOb9THkaRMc= =l2b6 -----END PGP SIGNATURE-----