Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1
Severity: normal
Dear Maintainer,
Severity is import for me, but obviously this isn't happening to
everyone. Every time I start bind9 fails, and all the other startup
services that require working DNS end up in various semi-broken
states. I can fix this after the system is up.
* What led up to the situation?
Start or restart the system. bind9 attempts to start, but fails
with the error that it is unable to cd to /var/cache/bind. This
happens every time.
New installation of buster with existing customizations from an old
system ported over, with adoptions.
resolvconf in use.
/var is a separate partition. See details below for my theory the
failure arises from a race condition in which bind starts before
/var is mounted.
* What exactly did you do (or not do) that was effective (or
ineffective)?
1. ; I have added /etc/systemd/system/bind9.service.d/override.conf with
[Unit]
RequiresMountsFor=/var
but it didn't help.
2. *After* the system has started I can start bind successfully.
Then I need to restart other services that were messed up by lack
of DNS.
3. Reviewed and maybe added some entries to the apparmor profile.
This helped with some of my customizations, but a simple apparmor
problem would not block initial access to a directory and then
permit later access.
4. Discuss on debian-user.
* What outcome did you expect instead?
I expected bind would start the first time.
* Details
The root partition includes /var/cache, but no /var/cache/bind.
When the partition with /var is mounted it has a /var/cache/bind
directory.
So it seems most likely the initial startup is happening before /var
is mounted, and fails when it can't find /var/cache/bind, while the
later startups happen after /var is mounted and so succeed.
The default systemd is controlling startup.
I'm not sure what I need to do to express this dependency properly;
either my RequireMountsFor does not have the effects my reading of the
documentation suggests it should, or my override is not actually
taking effect.
/var is encrypted on top of lvm, so it takes a bunch of steps to mount
it. However, it does not require me to enter any new passwords to
decrypt it. The root partition does require me to enter a password,
which happens early in startup.
/etc/systemd/system/bind9.service.wants/bind9-resolvconf.service is a
symlink to /lib/systemd/system/bind9-resolvconf.service. I believe it
is present because I deliberately activated it. This might be
inconsistent with the debconf run-resolvconf setting (of false).
I'm master for my local domain with files in /var/lib/bind; I have
inside and outside views.
I'm using /run/named/named.resolvers as suggested by this package (at
least in earlier versions) and scripts based on those previously
distributed with this package.
Logs:
-- Logs begin at Sat 2019-05-11 16:11:40 PDT, end at Sat 2019-05-11 17:08:02
PDT. --
May 11 16:11:42 barley named[609]: linked to libjson-c version: 0.12.1
May 11 16:11:42 barley named[609]: threads support is enabled
May 11 16:11:42 barley named[609]:
----------------------------------------------------
May 11 16:11:42 barley named[609]: BIND 9 is maintained by Internet Systems
Consortium,
May 11 16:11:42 barley named[609]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
May 11 16:11:42 barley named[609]: corporation. Support and training for BIND
9 are
May 11 16:11:42 barley named[609]: available at https://www.isc.org/support
May 11 16:11:42 barley named[609]:
----------------------------------------------------
May 11 16:11:42 barley named[609]: adjusted limit on open files from 524288 to
1048576
May 11 16:11:42 barley named[609]: found 8 CPUs, using 8 worker threads
May 11 16:11:42 barley named[609]: using 7 UDP listeners per interface
May 11 16:11:42 barley named[609]: using up to 4096 sockets
May 11 16:11:44 barley named[609]: loading configuration from
'/etc/bind/named.conf'
May 11 16:11:44 barley named[609]: /etc/bind/named.conf.options:2: change
directory to '/var/cache/bind' failed: file not found
May 11 16:11:44 barley named[609]: /etc/bind/named.conf.options:2: parsing
failed: file not found
May 11 16:11:44 barley named[609]: loading configuration: file not found
May 11 16:11:44 barley named[609]: exiting (due to fatal error)
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.118
ii bind9utils 1:9.11.5.P4+dfsg-5.1
ii debconf [debconf-2.0] 1.5.71
ii dns-root-data 2019031302
ii libbind9-161 1:9.11.5.P4+dfsg-5.1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcom-err2 1.44.5-1
ii libdns1104 1:9.11.5.P4+dfsg-5.1
ii libfstrm0 0.4.0-1
ii libgeoip1 1.6.12-1
ii libgssapi-krb5-2 1.17-3
ii libisc1100 1:9.11.5.P4+dfsg-5.1
ii libisccc161 1:9.11.5.P4+dfsg-5.1
ii libisccfg163 1:9.11.5.P4+dfsg-5.1
ii libjson-c3 0.12.1+ds-2
ii libk5crypto3 1.17-3
ii libkrb5-3 1.17-3
ii liblmdb0 0.9.22-1
ii liblwres161 1:9.11.5.P4+dfsg-5.1
ii libprotobuf-c1 1.3.1-1+b1
ii libssl1.1 1.1.1c-1
ii libxml2 2.9.4+dfsg1-7+b3
ii lsb-base 10.2019051400
ii net-tools 1.60+git20180626.aebd88e-1
ii netbase 5.6
bind9 recommends no packages.
Versions of packages bind9 suggests:
ii bind9-doc 1:9.11.5.P4+dfsg-5.1
ii dnsutils 1:9.11.5.P4+dfsg-5.1
ii resolvconf 1.79
pn ufw <none>
-- Configuration Files:
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
// must go inside view: include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
acl internals { ::1; 127.0.0.1; 192.168.1.0/24; 192.168.122.0/24; };
logging {
channel update_debug{
file "/var/log/named/dnsupdate.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named/dnssec.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_debug {
file "/var/log/named/dnsdebug.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update {update_debug;};
category security {security_info;};
/* following are for debugging. use with rndc trace.*/
category query-errors {general_debug;};
category default {general_debug;};
category general {general_debug;};
category security {general_debug;};
category config {general_debug;};
category resolver {general_debug;};
category client {general_debug;};
category unmatched {general_debug;};
category queries {general_debug;};
/**/
};
view "inside" {
match-clients { internals; };
recursion yes;
// allow dhcp to update me
include "/etc/bind/rndc.key";
include "/etc/bind/named.conf.default-zones";
zone "1.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.192";
journal "/var/lib/bind/db.192.jnl";
allow-query { internals; };
allow-transfer { internals; };
allow-update { key rndc-key;};
};
// maybe 122.168.192 as well?
zone "betterworld.us" {
notify no;
type master;
file "/var/lib/bind/inside-betterworld.us";
journal "/var/lib/bind/inside-betterworld.us.jnl";
allow-update { key rndc-key;};
};
};
lwres {
view "inside";
search { "betterworld.us";};
};
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
// RB modified resolv.conf with custom /etc/resolvconf/update.d/bind9
to create this file.
include "/run/named/named.resolvers";
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
-- debconf information:
bind9/start-as-user: bind
bind9/run-resolvconf: false
bind9/different-configuration-file:
