Re: Re: Zone file got updated via named process unexpected
hi, I did not use or configure DNSSEC or Dynamic DNS, I have also disabled DNSSEC via `dnssec-validation no;`, I also tried to use `dnssec-enable no;` and `dnssec-lookaside no;`, but these configuration is not exists anymore for the new bind 9.18.20 I updated. I also checked if I am using DNSSEC via `dnssec-checkds`. [root@pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet ynu.edu.cn dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in /etc/named.data/db.ynu.edu.cn.intranet No DNSKEY records found in zone apex [root@pridns ~]# echo $? 1 [root@pridns ~]# And not log in `dnssec_log` after I configured DNSSEC logging from https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bind-dnssec-debug-logging. Is it a problem of SOA serial number, after I updated this value, the zone file did not change anymore, but this zone does not load from `rndc dumpdb -all` output. # parts of /var/named/data/cache_dump.db ; Zone dump of 'ynu.edu.cn/IN/INTRANET' ; ; zone not loaded [root@pridns ~]# tail -f /var/log/named/dns-default.log|grep 113.55.127.140 19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe6f000da68 113.55.127.140#54309 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/A at query.c:5673 19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe70049a218 113.55.127.140#54310 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/ at query.c:5673 19-Dec-2023 09:28:47.483 client: debug 1: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/A (CD=0) 19-Dec-2023 09:28:47.483 query-errors: info: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/A at query.c:7094 19-Dec-2023 09:28:47.484 client: debug 1: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/ (CD=0) 19-Dec-2023 09:28:47.484 query-errors: info: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/ at query.c:7094 [root@pridns ~]# However, this zone file /etc/named.data/db.ynu.edu.cn.intranet is almost the same as other zone file from different view. 2023-12-18 04:18:06 "Nick Tait via bind-users" 写道: > On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote: > > I found this zone file got updated in about 15 minutes when I made > > changes or restarted named, and this behavior seems match the docs > > bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can > > confirm I DO NOT configure allow-update or update-policy. I even add > > "allow-update {none;}; // no DDNS by default" in the zone block of the > > problematic view. Is there any chances this configuration comes from > > other config file or named build options? > > Are you using DNSSEC with this zone? Your config extract doesn't show > it, but what you described sounds like BIND might be resigning the zone > file and writing the new signed zone over top of the original file? If > so, the solution is to use inline-signing: > https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing > > Note that there have been many improvements in BIND's support for DNSSEC > over the last few years, so if this is a server that you've inherited, > it is probably worth reviewing the DNSSEC configuration options to see > if it can be improved? > > Nick. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone file got updated via named process unexpected
On 17/12/2023 5:30 pm, liudong...@ynu.edu.cn wrote: I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure allow-update or update-policy. I even add "allow-update {none;}; // no DDNS by default" in the zone block of the problematic view. Is there any chances this configuration comes from other config file or named build options? Are you using DNSSEC with this zone? Your config extract doesn't show it, but what you described sounds like BIND might be resigning the zone file and writing the new signed zone over top of the original file? If so, the solution is to use inline-signing: https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing Note that there have been many improvements in BIND's support for DNSSEC over the last few years, so if this is a server that you've inherited, it is probably worth reviewing the DNSSEC configuration options to see if it can be improved? Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone file got updated via named process unexpected
Sorry for the mixed format. I updated the post here. Hi, I have a bind9 service running on the server, and some views configured, but I found a zone file got updated unexpected when I made some resolve changes. Here is parts of the original contents of the updated zone file. $TTL 86400 ; 1 day @ IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091901; serial number 10800 ; Refresh interval, every 3 hours 3600; Retry interval, every 30 minutes 604800 ; Expire after 1 week 86400 ) ;Minimum TTL of 1 day $INCLUDE /etc/named.data/db.ynu.edu.cn.common ; RR of type A ; lb-http-jz IN A 113.55.14.52 ; vpn110800 IN A 192.168.208.3 ynucdn 600 IN A 202.203.208.4 .. And this is the auto updated parts of that file. $ORIGIN . $TTL 86400 ; 1 day ynu.edu.cn IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091903 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) $ORIGIN ynu.edu.cn. 100 CNAME lb-http 65031141CNAME www.itc $ORIGIN 65031141.ynu.edu.cn. ip-watcher A 113.55.13.114 kibana CNAME lb-http.ynu.edu.cn. portainer CNAME lb-http.ynu.edu.cn. $ORIGIN ynu.edu.cn. _cdnauthTXT "2023060823081361d03c617f075ac05df69f6309bd9aa6" access A 113.55.0.80 .. The update contents contain some $ORIGIN seems to produced via named process. The related pieces of named.conf configurations is: .. view "INTRANET"{ match-clients { INTRANET_ACL;}; recursion yes; include "/etc/named.common.zones.conf"; zone "ynu.edu.cn" in { type master; file "db.ynu.edu.cn.intranet"; }; }; .. And I found some general logs maybe provide some clues. 14-Dec-2023 14:39:25.460 general: debug 1: zone_timer: zone ynu.edu.cn/IN/INTRANET: enter 14-Dec-2023 14:39:25.460 general: debug 1: zone_maintenance: zone ynu.edu.cn/IN/INTRANET: enter 14-Dec-2023 14:39:25.460 general: debug 1: zone_dump: zone ynu.edu.cn/IN/INTRANET: enter 14-Dec-2023 14:39:25.460 general: debug 1: zone_settimer: zone ynu.edu.cn/IN/INTRANET: enter 14-Dec-2023 14:39:25.460 general: debug 1: zone_gotwritehandle: zone ynu.edu.cn/IN/INTRANET: enter 14-Dec-2023 14:39:25.460 general: debug 1: dumptostreaminc(0x7efe0d938010) new nodes -> 212 14-Dec-2023 14:39:25.461 general: debug 1: dumptostreaminc(0x7efe0d938010) new nodes -> 310 14-Dec-2023 14:39:25.464 general: debug 1: dump_done: zone ynu.edu.cn/IN/INTRANET: enter I did not configure master/slave mode of bind9. And I serached the sources of bind9, but failed to find some keywords like zone_timer or zone_gotwritehandle. I have stucked on this strange problem for a few days. I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure allow-update or update-policy. I even add "allow-update {none;}; // no DDNS by default" in the zone block of the problematic view. Is there any chances this configuration comes from other config file or named build options? I have also posted on stackoverflow, but without any response. 2023-12-17 12:04:18 "刘东华" 写道: Hi, I have a bind9 service running on the server, and some views configured, but I found a zone file got updated unexpected when I made some resolve changes. Here is parts of the original contents of the updated zone file. $TTL 86400 ; 1 day@ IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. (2019091901; serial number10800 ; Refresh interval, every 3 hours3600; Retry interval, every 30 minutes 604800 ; Expire after 1 week 86400 ) ;Minimum TTL of 1 day$INCLUDE /etc/named.data/db.ynu.edu.cn.common; RR of type A; lb-http-jz IN A 113.55.14.52; vpn110800 IN A 192.168.208.3ynucdn 600 IN A 202.203.208.4.. And this is the auto updated parts of that file. $ORIGIN .$TTL 86400 ; 1 dayynu.edu.cn IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091903 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) )$ORIGIN ynu.edu.cn.100 CNAME lb-http65031141
Zone file got updated via named process unexpected
Hi, I have a bind9 service running on the server, and some views configured, but I found a zone file got updated unexpected when I made some resolve changes. Here is parts of the original contents of the updated zone file. $TTL 86400 ; 1 day@ IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. (2019091901; serial number10800 ; Refresh interval, every 3 hours3600; Retry interval, every 30 minutes 604800 ; Expire after 1 week 86400 ) ;Minimum TTL of 1 day$INCLUDE /etc/named.data/db.ynu.edu.cn.common; RR of type A; lb-http-jz IN A 113.55.14.52; vpn110800 IN A 192.168.208.3ynucdn 600 IN A 202.203.208.4.. And this is the auto updated parts of that file. $ORIGIN .$TTL 86400 ; 1 dayynu.edu.cn IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. ( 2019091903 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) )$ORIGIN ynu.edu.cn.100 CNAME lb-http65031141 CNAME www.itc$ORIGIN 65031141.ynu.edu.cn.ip-watcher A 113.55.13.114kibana CNAME lb-http.ynu.edu.cn.portainerCNAME lb-http.ynu.edu.cn.$ORIGIN ynu.edu.cn._cdnauth TXT "2023060823081361d03c617f075ac05df69f6309bd9aa6"access A 113.55.0.80.. The update contents contain some $ORIGIN seems to produced via named process. The related pieces of named.conf configurations is: ..view "INTRANET"{match-clients { INTRANET_ACL;};recursion yes;include "/etc/named.common.zones.conf";zone "ynu.edu.cn" in {type master;file "db.ynu.edu.cn.intranet"; };};.. And I found some general logs maybe provide some clues. 14-Dec-2023 14:39:25.460 general: debug 1: zone_timer: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: zone_maintenance: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: zone_dump: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: zone_settimer: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: zone_gotwritehandle: zone ynu.edu.cn/IN/INTRANET: enter14-Dec-2023 14:39:25.460 general: debug 1: dumptostreaminc(0x7efe0d938010) new nodes -> 21214-Dec-2023 14:39:25.461 general: debug 1: dumptostreaminc(0x7efe0d938010) new nodes -> 31014-Dec-2023 14:39:25.464 general: debug 1: dump_done: zone ynu.edu.cn/IN/INTRANET: enter I can confirm that I did not use or configure master/slave mode of bind9. I found this zone file got updated in about 15 minutes when I made changes or restarted named, and this behavior seems match the docs bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can confirm I DO NOT configure allow-update or update-policy. I even add "allow-update {none;}; // no DDNS by default" in the zone block of the problematic view. Is there any chances this configuration comes from other config file or named build options? I also have posted on stackoverflow, but without any response. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users