Bug#1120311: bind9: named-checkconf silent about nsec3param

Fri, 07 Nov 2025 05:47:16 -0800 

Package: bind9
Version: 1:9.20.15-1~deb13u1
Severity: normal

Dear Maintainer,

when I upgraded to this version of bind9, the resolver wouln't start.
I couldn't even complete the installation because of the postinst script
failure.

The failing point was named-checkconf, returning exit code 1.
No output whatsoever.  I had to delete bunches of config lines
until I found that the following line was triggering the failure:

        nsec3param iterations 1 optout false salt-length 16;

Commenting out the line finally allowed named to start.  Later on
I found that specifying just "nsec3param;" without parameters is
also accepted.

The doc is a bit obscure on the subject, it warns against using
the parameters unless their implications are fully understood.
(I don't fully understand them, but I think that even if I did
named-checkconf would have failed nevertheless.)

The bug is to not point to the non-accepted configuration line.

Best
Ale

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 6 (excalibur)
Release:        6
Codename:       excalibur
Architecture: x86_64

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages bind9 depends on:
ii  adduser                3.152
ii  bind9-libs             1:9.20.15-1~deb13u1
ii  bind9-utils            1:9.20.15-1~deb13u1
ii  debconf [debconf-2.0]  1.5.91
ii  dns-root-data          2024071801
ii  init-system-helpers    1.68devuan1
ii  iproute2               6.15.0-1
ii  libc6                  2.41-12
ii  libcap2                1:2.75-10+b1
ii  libfstrm0              0.6.1-1+b3
ii  libjemalloc2           5.3.0-3
ii  libjson-c5             0.18+ds-1
ii  liblmdb0               0.9.31-1+b2
ii  libmaxminddb0          1.12.2-1
ii  libnghttp2-14          1.64.0-1.1
ii  libprotobuf-c1         1.5.1-1
ii  libssl3t64             3.5.1-1+deb13u1
ii  liburcu8t64            0.15.2-2
ii  libuv1t64              1.50.0-2
ii  libxml2                2.12.7+dfsg+really2.9.14-2.1+deb13u1
ii  netbase                6.5
ii  zlib1g                 1:1.3.dfsg+really1.3.1-1+b1

bind9 recommends no packages.

Versions of packages bind9 suggests:
ii  bind9-dnsutils  1:9.20.15-1~deb13u1
ii  bind9-doc       1:9.20.15-1~deb13u1
pn  resolvconf      <none>
pn  ufw             <none>

-- Configuration Files:
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local [Errno 13] Permission denied: 
'/etc/bind/named.conf.local'
/etc/bind/named.conf.options changed [not included]
/etc/default/named changed [not included]

-- debconf information:
  bind9/run-resolvconf: true
  bind9/different-configuration-file:
  bind9/start-as-user: bind

Reply via email to