Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RE: bind 9.9.0rc3 inline signing server not updating unsigned zone
107 views
Skip to first unread message
Spain, Dr. Jeffry A.
Feb 22, 2012, 2:05:11 PM2/22/12
to Mark Andrews, bind-...@lists.isc.org
Mark: Your patch version 3 is included below to confirm that this is the correct one. Initially the patch didn't work properly due to a missing line break before "@@ -5993,6 +5994,12 @@". I fixed that and ran the bind9.9.0rc3 installation again. A manual inspection of server.c afterwards indicated that the patch executed correctly.
With the properly patched bind 9.9.0rc3 running, 'rndc retransfer jaspain.biz' generated no output, presumably indicating success.
The log showed some related error messages, however:
Feb 22 13:50:43 nsb0s named[8594]: received control channel command 'retransfer jaspain.biz'
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (unsigned): Transfer started.
Feb 22 13:50:43 nsb0s named[8594]: transfer of 'jaspain.biz/IN (unsigned)' from 2001:4870:20ca:158:14ff:7695:9632:e9ec#53: connected using 2001:4870:20ca:158:383e:4365:e3fe:ef7e#45705
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (unsigned): transferred serial 2012013004: TSIG 'nsb0-nsb0s'
Feb 22 13:50:43 nsb0s named[8594]: transfer of 'jaspain.biz/IN (unsigned)' from 2001:4870:20ca:158:14ff:7695:9632:e9ec#53: Transfer completed: 1 messages, 10 records, 392 bytes, 0.005 secs (78400 bytes/sec)
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): zone serial (2012013004/2012013006) has gone backwards
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): loaded serial 2012013004
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): receive_secure_serial: unchanged
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): receive_secure_serial: unchanged
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): reconfiguring zone keys
Feb 22 13:50:43 nsb0s named[8594]: malformed transaction: /var/cache/bind/jaspain.biz.db.signed.jnl last serial 2012013006 != transaction first serial 2012013004
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): zone_rekey:dns_journal_write_transaction -> unexpected error
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): sending notifies (serial 2012013004)
Seems like it is confusing the serial numbers of the signed and unsigned zones. 2012013004 is the incremented serial number of the unsigned zone. The signed zone had serial number 2012013006 prior to the retransfer attempt. Tcpdump showed a successful AXFR of the unsigned zone with serial number 2012013004.
Thanks. Jeff.
----------
Patch version 3:
Index: bin/named/server.c
===================================================================
RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v
retrieving revision 1.638.4.3
diff -u -r1.638.4.3 server.c
--- bin/named/server.c 7 Feb 2012 00:58:40 -0000 1.638.4.3
+++ bin/named/server.c 21 Feb 2012 23:05:47 -0000
@@ -5986,6 +5986,7 @@
ns_server_retransfercommand(ns_server_t *server, char *args) {
isc_result_t result;
dns_zone_t *zone = NULL;
+ dns_zone_t *raw = NULL;
dns_zonetype_t type;
result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE); @@ -5993,6 +5994,12 @@
return (result);
if (zone == NULL)
return (ISC_R_UNEXPECTEDEND);
+ dns_zone_getraw(zone, &raw);
+ if (raw != NULL) {
+ dns_zone_detach(&zone);
+ dns_zone_attach(raw, &zone);
+ dns_zone_detach(&raw);
+ }
type = dns_zone_gettype(zone);
if (type == dns_zone_slave || type == dns_zone_stub)
dns_zone_forcereload(zone);
With the properly patched bind 9.9.0rc3 running, 'rndc retransfer jaspain.biz' generated no output, presumably indicating success.
The log showed some related error messages, however:
Feb 22 13:50:43 nsb0s named[8594]: received control channel command 'retransfer jaspain.biz'
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (unsigned): Transfer started.
Feb 22 13:50:43 nsb0s named[8594]: transfer of 'jaspain.biz/IN (unsigned)' from 2001:4870:20ca:158:14ff:7695:9632:e9ec#53: connected using 2001:4870:20ca:158:383e:4365:e3fe:ef7e#45705
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (unsigned): transferred serial 2012013004: TSIG 'nsb0-nsb0s'
Feb 22 13:50:43 nsb0s named[8594]: transfer of 'jaspain.biz/IN (unsigned)' from 2001:4870:20ca:158:14ff:7695:9632:e9ec#53: Transfer completed: 1 messages, 10 records, 392 bytes, 0.005 secs (78400 bytes/sec)
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): zone serial (2012013004/2012013006) has gone backwards
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): loaded serial 2012013004
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): receive_secure_serial: unchanged
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): receive_secure_serial: unchanged
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): reconfiguring zone keys
Feb 22 13:50:43 nsb0s named[8594]: malformed transaction: /var/cache/bind/jaspain.biz.db.signed.jnl last serial 2012013006 != transaction first serial 2012013004
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): zone_rekey:dns_journal_write_transaction -> unexpected error
Feb 22 13:50:43 nsb0s named[8594]: zone jaspain.biz/IN (signed): sending notifies (serial 2012013004)
Seems like it is confusing the serial numbers of the signed and unsigned zones. 2012013004 is the incremented serial number of the unsigned zone. The signed zone had serial number 2012013006 prior to the retransfer attempt. Tcpdump showed a successful AXFR of the unsigned zone with serial number 2012013004.
Thanks. Jeff.
----------
Patch version 3:
Index: bin/named/server.c
===================================================================
RCS file: /proj/cvs/prod/bind9/bin/named/server.c,v
retrieving revision 1.638.4.3
diff -u -r1.638.4.3 server.c
--- bin/named/server.c 7 Feb 2012 00:58:40 -0000 1.638.4.3
+++ bin/named/server.c 21 Feb 2012 23:05:47 -0000
@@ -5986,6 +5986,7 @@
ns_server_retransfercommand(ns_server_t *server, char *args) {
isc_result_t result;
dns_zone_t *zone = NULL;
+ dns_zone_t *raw = NULL;
dns_zonetype_t type;
result = zone_from_args(server, args, NULL, &zone, NULL, ISC_TRUE); @@ -5993,6 +5994,12 @@
return (result);
if (zone == NULL)
return (ISC_R_UNEXPECTEDEND);
+ dns_zone_getraw(zone, &raw);
+ if (raw != NULL) {
+ dns_zone_detach(&zone);
+ dns_zone_attach(raw, &zone);
+ dns_zone_detach(&raw);
+ }
type = dns_zone_gettype(zone);
if (type == dns_zone_slave || type == dns_zone_stub)
dns_zone_forcereload(zone);
0 new messages