[Pkg-freeipa-devel] Bug#857091: bind9-dyndb-ldap: race condition/strange issue with DNSSEC inline signing

Dominik George nik at naturalnet.de
Tue Mar 7 23:02:24 UTC 2017 

Package: bind9-dyndb-ldap
Version: 10.1-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

After configuring a basic setup with bind9-dyndb-ldap, I tried enabling
DNSSEC inline signing. It does seem to work, but only sporadically. Most
of the time, most zones fail to be signed with the following errors in
the logs:

Mar  7 06:33:53 shore named[19793]: zone koenig-moderig.de/IN (signed): reconfiguring zone keys
Mar  7 06:33:53 shore named[19793]: malformed transaction: dyndb-ldap/naturalnet/master/koenig-moderig.de/signed.jnl last serial 1488398609 != transaction first serial 1488398610
Mar  7 06:33:53 shore named[19793]: zone koenig-moderig.de/IN (signed): zone_rekey:dns_journal_write_transaction -> unexpected error

It seems like BIND cannot write the journal, but there is no permission
issue or anything else. In fact, a few minutes later, BIND might sign
the zone just fine. I even used strace to trace anything happening to
the journal, and in the case where the above error is produced, I see
BIND happily opening, writing and closing signed.jnl.

There seems to be a known issue with BIND hitting this issue in a few
corner cases, mostly “fixed” by restarting BIND, but this simple
solution does not work here.

- -- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bind9-dyndb-ldap depends on:
ii  bind9          1:9.10.3.dfsg.P4-12
ii  libc6          2.24-9
ii  libdns162      1:9.10.3.dfsg.P4-12
ii  libisc160      1:9.10.3.dfsg.P4-12
ii  libkrb5-3      1.15-1
ii  libldap-2.4-2  2.4.44+dfsg-3
ii  libuuid1       2.29.1-1

bind9-dyndb-ldap recommends no packages.

bind9-dyndb-ldap suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAli/O/UxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8pYd3Q//QaCbewR5b4TNDllntitPBeLzswJ1
FuZ41+QIebPUQoknSd9dQXHgvunXxm8x1zkilAv9bVHozwbL6q6Iz48pGuaTwgbG
OmVCnAzUpuG55k26xOw+07IYLgx2smPMjzrjYOH1Tbmgafas0nbucqyFn37JdYg2
EFHp2Nac+Ui83zFeZiybV+2mZDR2zx1HV9SFa9IRQFjS4jGz6Evtur9mfV4vFBPx
++zgdafrtgnF1udD4bZ6j+OrmN9mmu0L0Bn7L8mOZVsDmq+Ki3crvPdoqInTjMK2
pTrQ0zKPzlrxTt1RayMXFHdJwj4hLyCd20eWwUTQTovrI1gW3fLbL2VmT8UQkJqU
Qj24j78jKG75Ri7wuo+hHRwNBqgt/FOLwC6kxFCg6vElZDnvL9RrHlQCkXR4U2hD
v8d78OtHrOFVNgqD67/83dZcYEPARwT4zeKXUcPO1UDparjn5Kf4bBwaj7GaS2uS
pH6XsyDN+ZfTHo9jPW494oFIJZsgZgDSKhFRjA+SCLJ2D42nwMR8nkBYz/R29PMS
rYI1x9mRZLAsoQBJfEHvBxR676F39TjNvweGhYVVnbG1EHeFotJaNoUqbeJgDznr
WW8WSKgMoyTbtMebxdm0Hxk3paZ9WXNp2H8ntHRy46DyORfEJ3F/K7Hop9H+POfk
o76PlOb9THkaRMc=
=l2b6
-----END PGP SIGNATURE-----

More information about the Pkg-freeipa-devel mailing list