subject:"Zone file got updated via named process unexpected"

Re: Re: Zone file got updated via named process unexpected

2023-12-18 Thread liudonghua

hi, I did not use or configure DNSSEC or Dynamic DNS, I have also disabled 
DNSSEC via `dnssec-validation no;`, I also tried to use `dnssec-enable no;` and 
`dnssec-lookaside no;`, but these configuration is not exists anymore for the 
new bind 9.18.20 I updated.

I also checked if I am using DNSSEC via `dnssec-checkds`.

[root@pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet 
ynu.edu.cn
dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in 
/etc/named.data/db.ynu.edu.cn.intranet
No DNSKEY records found in zone apex
[root@pridns ~]# echo $?
1
[root@pridns ~]# 

And not log in `dnssec_log` after I configured DNSSEC logging from 
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bind-dnssec-debug-logging.

Is it a problem of SOA serial number, after I updated this value, the zone file 
did not change anymore, but this zone does not load from `rndc dumpdb -all` 
output.

# parts of /var/named/data/cache_dump.db
; Zone dump of 'ynu.edu.cn/IN/INTRANET'
;
; zone not loaded

[root@pridns ~]# tail -f /var/log/named/dns-default.log|grep 113.55.127.140
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe6f000da68 
113.55.127.140#54309 (www.ynu.edu.cn): view INTRANET: query failed (zone not 
loaded) for www.ynu.edu.cn/IN/A at query.c:5673
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe70049a218 
113.55.127.140#54310 (www.ynu.edu.cn): view INTRANET: query failed (zone not 
loaded) for www.ynu.edu.cn/IN/ at query.c:5673
19-Dec-2023 09:28:47.483 client: debug 1: client @0x7fe6fd8b9c98 
113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: servfail cache hit 
www.ynu.edu.cn/A (CD=0)
19-Dec-2023 09:28:47.483 query-errors: info: client @0x7fe6fd8b9c98 
113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) 
for www.ynu.edu.cn/IN/A at query.c:7094
19-Dec-2023 09:28:47.484 client: debug 1: client @0x7fe70049a218 
113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: servfail cache hit 
www.ynu.edu.cn/ (CD=0)
19-Dec-2023 09:28:47.484 query-errors: info: client @0x7fe70049a218 
113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) 
for www.ynu.edu.cn/IN/ at query.c:7094
[root@pridns ~]#

However, this zone file /etc/named.data/db.ynu.edu.cn.intranet is almost the 
same as other zone file from different view.

2023-12-18 04:18:06 "Nick Tait via bind-users"  写道：
> On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote:
> > I found this zone file got updated in about 15 minutes when I made 
> > changes or restarted named, and this behavior seems match the docs 
> > bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can 
> > confirm I DO NOT configure allow-update or update-policy. I even add 
> > "allow-update {none;}; // no DDNS by default" in the zone block of the 
> > problematic view. Is there any chances this configuration comes from 
> > other config file or named build options?
> 
> Are you using DNSSEC with this zone? Your config extract doesn't show 
> it, but what you described sounds like BIND might be resigning the zone 
> file and writing the new signed zone over top of the original file? If 
> so, the solution is to use inline-signing: 
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
> 
> Note that there have been many improvements in BIND's support for DNSSEC 
> over the last few years, so if this is a server that you've inherited, 
> it is probably worth reviewing the DNSSEC configuration options to see 
> if it can be improved?
> 
> Nick.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone file got updated via named process unexpected

2023-12-17 Thread Nick Tait via bind-users


On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote:
I found this zone file got updated in about 15 minutes when I made 
changes or restarted named, and this behavior seems match the docs 
bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can 
confirm I DO NOT configure allow-update or update-policy. I even add 
"allow-update {none;}; // no DDNS by default" in the zone block of the 
problematic view. Is there any chances this configuration comes from 
other config file or named build options?


Are you using DNSSEC with this zone? Your config extract doesn't show 
it, but what you described sounds like BIND might be resigning the zone 
file and writing the new signed zone over top of the original file? If 
so, the solution is to use inline-signing: 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing


Note that there have been many improvements in BIND's support for DNSSEC 
over the last few years, so if this is a server that you've inherited, 
it is probably worth reviewing the DNSSEC configuration options to see 
if it can be improved?


Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone file got updated via named process unexpected

2023-12-16 Thread liudonghua

Sorry for the mixed format. I updated the post here.




Hi, I have a bind9 service running on the server, and some views configured, 
but I found a zone file got updated unexpected when I made some resolve changes.


Here is parts of the original contents of the updated zone file.


$TTL 86400  ; 1 day
@   IN  SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. (
2019091901;   serial number
10800   ;   Refresh interval, every 3 hours
3600;   Retry interval, every 30 minutes 
604800  ;   Expire after 1 week
86400 ) ;Minimum TTL of 1 day


$INCLUDE /etc/named.data/db.ynu.edu.cn.common




; RR of type A
; 
lb-http-jz  IN  A   113.55.14.52
; 
vpn110800   IN  A   192.168.208.3
ynucdn  600 IN  A   202.203.208.4
..


And this is the auto updated parts of that file.


$ORIGIN .
$TTL 86400  ; 1 day
ynu.edu.cn  IN SOA  pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. (
2019091903 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
86400  ; minimum (1 day)
)


$ORIGIN ynu.edu.cn.
100 CNAME   lb-http
65031141CNAME   www.itc
$ORIGIN 65031141.ynu.edu.cn.
ip-watcher  A   113.55.13.114
kibana  CNAME   lb-http.ynu.edu.cn.
portainer   CNAME   lb-http.ynu.edu.cn.
$ORIGIN ynu.edu.cn.
_cdnauthTXT "2023060823081361d03c617f075ac05df69f6309bd9aa6"
access  A   113.55.0.80
..
The update contents contain some $ORIGIN seems to produced via named process.


The related pieces of named.conf configurations is:


..
view "INTRANET"{
match-clients { INTRANET_ACL;};
recursion yes;
include "/etc/named.common.zones.conf";
zone "ynu.edu.cn" in {
type master;
file "db.ynu.edu.cn.intranet";
};
};
..


And I found some general logs maybe provide some clues.

14-Dec-2023 14:39:25.460 general: debug 1: zone_timer: zone 
ynu.edu.cn/IN/INTRANET: enter
14-Dec-2023 14:39:25.460 general: debug 1: zone_maintenance: zone 
ynu.edu.cn/IN/INTRANET: enter
14-Dec-2023 14:39:25.460 general: debug 1: zone_dump: zone 
ynu.edu.cn/IN/INTRANET: enter
14-Dec-2023 14:39:25.460 general: debug 1: zone_settimer: zone 
ynu.edu.cn/IN/INTRANET: enter
14-Dec-2023 14:39:25.460 general: debug 1: zone_gotwritehandle: zone 
ynu.edu.cn/IN/INTRANET: enter
14-Dec-2023 14:39:25.460 general: debug 1: dumptostreaminc(0x7efe0d938010) new 
nodes -> 212
14-Dec-2023 14:39:25.461 general: debug 1: dumptostreaminc(0x7efe0d938010) new 
nodes -> 310
14-Dec-2023 14:39:25.464 general: debug 1: dump_done: zone 
ynu.edu.cn/IN/INTRANET: enter
I did not configure master/slave mode of bind9. And I serached the sources of 
bind9, but failed to find some keywords like zone_timer or zone_gotwritehandle.


I have stucked on this strange problem for a few days.


I found this zone file got updated in about 15 minutes when I made changes or 
restarted named, and this behavior seems match the docs 
bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm 
I DO NOT configure allow-update or update-policy. I even add "allow-update 
{none;}; // no DDNS by default" in the zone block of the problematic view. Is 
there any chances this configuration comes from other config file or named 
build options?


I have also posted on stackoverflow, but without any response. 




2023-12-17 12:04:18 "刘东华"  写道：

Hi, I have a bind9 service running on the server, and some views configured, 
but I found a zone file got updated unexpected when I made some resolve changes.

Here is parts of the original contents of the updated zone file.

$TTL 86400  ; 1 day@   IN  SOA pridns.ynu.edu.cn. 
root.pridns.ynu.edu.cn. (2019091901;   
serial number10800   ;   Refresh interval, 
every 3 hours3600;   Retry interval, every 
30 minutes 604800  ;   Expire after 1 week  
  86400 ) ;Minimum TTL of 1 day$INCLUDE 
/etc/named.data/db.ynu.edu.cn.common; RR of type A; lb-http-jz  
IN  A   113.55.14.52; vpn110800   IN  A   
192.168.208.3ynucdn  600 IN  A   202.203.208.4..

And this is the auto updated parts of that file.

$ORIGIN .$TTL 86400 ; 1 dayynu.edu.cn   IN SOA  
pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091903 ; serial 10800  ; 
refresh (3 hours) 3600   ; retry (1 hour) 604800 ; expire (1 week) 
86400  ; minimum (1 day) )$ORIGIN ynu.edu.cn.100   CNAME   
lb-http65031141

Zone file got updated via named process unexpected

2023-12-16 Thread liudonghua

Hi, I have a bind9 service running on the server, and some views configured, 
but I found a zone file got updated unexpected when I made some resolve changes.

Here is parts of the original contents of the updated zone file.

$TTL 86400  ; 1 day@   IN  SOA pridns.ynu.edu.cn. 
root.pridns.ynu.edu.cn. (2019091901;   
serial number10800   ;   Refresh interval, 
every 3 hours3600;   Retry interval, every 
30 minutes 604800  ;   Expire after 1 week  
  86400 ) ;Minimum TTL of 1 day$INCLUDE 
/etc/named.data/db.ynu.edu.cn.common; RR of type A; lb-http-jz  
IN  A   113.55.14.52; vpn110800   IN  A   
192.168.208.3ynucdn  600 IN  A   202.203.208.4..

And this is the auto updated parts of that file.

$ORIGIN .$TTL 86400 ; 1 dayynu.edu.cn   IN SOA  
pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091903 ; serial 10800  ; 
refresh (3 hours) 3600   ; retry (1 hour) 604800 ; expire (1 week) 
86400  ; minimum (1 day) )$ORIGIN ynu.edu.cn.100   CNAME   
lb-http65031141 CNAME   www.itc$ORIGIN 65031141.ynu.edu.cn.ip-watcher   
A   113.55.13.114kibana CNAME   
lb-http.ynu.edu.cn.portainerCNAME   lb-http.ynu.edu.cn.$ORIGIN 
ynu.edu.cn._cdnauth  TXT 
"2023060823081361d03c617f075ac05df69f6309bd9aa6"access  A   
113.55.0.80..

The update contents contain some $ORIGIN seems to produced via named process.

The related pieces of named.conf configurations is:

..view "INTRANET"{match-clients { INTRANET_ACL;};recursion 
yes;include "/etc/named.common.zones.conf";zone "ynu.edu.cn" in 
{type master;file "db.ynu.edu.cn.intranet"; 
   };};..

And I found some general logs maybe provide some clues.

14-Dec-2023 14:39:25.460 general: debug 1: zone_timer: zone 
ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: 
zone_maintenance: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 
general: debug 1: zone_dump: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 
14:39:25.460 general: debug 1: zone_settimer: zone ynu.edu.cn/IN/INTRANET: 
enter14-Dec-2023 14:39:25.460 general: debug 1: zone_gotwritehandle: zone 
ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: 
dumptostreaminc(0x7efe0d938010) new nodes -> 21214-Dec-2023 14:39:25.461 
general: debug 1: dumptostreaminc(0x7efe0d938010) new nodes -> 31014-Dec-2023 
14:39:25.464 general: debug 1: dump_done: zone ynu.edu.cn/IN/INTRANET: enter

I can confirm that I did not use or configure master/slave mode of bind9.

I found this zone file got updated in about 15 minutes when I made changes or 
restarted named, and this behavior seems match the docs 
bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm 
I DO NOT configure allow-update or update-policy. I even add "allow-update 
{none;}; // no DDNS by default" in the zone block of the problematic view. Is 
there any chances this configuration comes from other config file or named 
build options?


I also have posted on stackoverflow, but without any response. -- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Zone file got updated via named process unexpected

Re: Zone file got updated via named process unexpected

Re: Zone file got updated via named process unexpected

Zone file got updated via named process unexpected

4 matches

Site Navigation

Mail list logo

Footer information