Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones

133 views
Skip to first unread message

Duncan

unread,
Sep 1, 2020, 11:06:26 AM9/1/20
to bind-...@lists.isc.org

I am using DNSSEC for more than 5 years now (never had a problem so far), but after upgrading to the latest bind-9.16.4 the verification fails using Verisign's DNSSEC Validator.

 

I reverted back to 9.14.12 and everything works as expected.

 

First I started upgrading my secondary DNS-Server (primary left untouched !!!) to 9.16.4 - restarted named and everything seems to be OK.

 

So I tested with Verisign's DNSSEC Validator https://dnssec-analyzer.verisignlabs.com/ before upgrading my primary DNS.

 

And Verisign reported an error -> All Queries to secondary.my-dnsserver-domain.com for my-domain.com/A timed out or failed

 

Test Results: https://ibb.co/7QLVJsC

 

Any ideas? …or should I upgrade both servers before I do my first test (not only the secondary server)? As I said, I only updated my secondary server and left my primary server untouched!

 

Are there any related upgrade issues from from 9.14.12 to 9.16.4, which I should take care first (do I have to update something in my configs)? Is it possible to keep my already signed zones of my 9.14.12 installation? Or do I have to re-sign anything?

 

 

Mark Andrews

unread,
Sep 1, 2020, 6:38:09 PM9/1/20
to dun...@isn-portal.de, bind-...@lists.isc.org
Do you go to your mechanic and not take the car when you have a problem you don’t understand with the car?

BIND 9.16.4 should be a drop in replacement for 9.14.12. As you are seeing issues you will need to supply more details like the name of the zone so people can actually try and figure out what the issue is.

Mark

> On 2 Sep 2020, at 01:06, Duncan <dun...@isn-portal.de> wrote:
>
> I am using DNSSEC for more than 5 years now (never had a problem so far), but after upgrading to the latest bind-9.16.4 the verification fails using Verisign's DNSSEC Validator.
>
> I reverted back to 9.14.12 and everything works as expected.
>
> First I started upgrading my secondary DNS-Server (primary left untouched !!!) to 9.16.4 - restarted named and everything seems to be OK.
>
> So I tested with Verisign's DNSSEC Validator https://dnssec-analyzer.verisignlabs.com/ before upgrading my primary DNS.
>
> And Verisign reported an error -> All Queries to secondary.my-dnsserver-domain.com for my-domain.com/Atimed out or failed
>
> Test Results: https://ibb.co/7QLVJsC
>
> Any ideas? …or should I upgrade both servers before I do my first test (not only the secondary server)? As I said, I only updated my secondary server and left my primary server untouched!
>
> Are there any related upgrade issues from from 9.14.12 to 9.16.4, which I should take care first (do I have to update something in my configs)? Is it possible to keep my already signed zones of my 9.14.12 installation? Or do I have to re-sign anything?
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Duncan

unread,
Sep 3, 2020, 6:36:01 AM9/3/20
to bind-...@lists.isc.org
I think, I 've found the problem...

Read in the documentation: "UDP network ports used for listening can no longer simultaneously be used for sending traffic."

I had listen-on, notify-source and transfer-source all set to the same IP and Port (53). Setting notify-source and transfer-source to different ports seems to solve my problems.

Under 9.14.12 there were no problems - that's the difference to 9.16.4, which caused my problems.
0 new messages