Zone file got updated via named process unexpected

Tue Dec 19 01:30:51 UTC 2023

hi, I did not use or configure DNSSEC or Dynamic DNS, I have also disabled DNSSEC via `dnssec-validation no;`, I also tried to use `dnssec-enable no;` and `dnssec-lookaside no;`, but these configuration is not exists anymore for the new bind 9.18.20 I updated.

I also checked if I am using DNSSEC via `dnssec-checkds`.

[root at pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet ynu.edu.cn
dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in /etc/named.data/db.ynu.edu.cn.intranet
No DNSKEY records found in zone apex
[root at pridns ~]# echo $?
1
[root at pridns ~]# 

And not log in `dnssec_log` after I configured DNSSEC logging from https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bind-dnssec-debug-logging.

Is it a problem of SOA serial number, after I updated this value, the zone file did not change anymore, but this zone does not load from `rndc dumpdb -all` output.

# parts of /var/named/data/cache_dump.db
; Zone dump of 'ynu.edu.cn/IN/INTRANET'
;
; zone not loaded

[root at pridns ~]# tail -f /var/log/named/dns-default.log|grep 113.55.127.140
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe6f000da68 113.55.127.140#54309 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/A at query.c:5673
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe70049a218 113.55.127.140#54310 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/AAAA at query.c:5673
19-Dec-2023 09:28:47.483 client: debug 1: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/A (CD=0)
19-Dec-2023 09:28:47.483 query-errors: info: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/A at query.c:7094
19-Dec-2023 09:28:47.484 client: debug 1: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/AAAA (CD=0)
19-Dec-2023 09:28:47.484 query-errors: info: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/AAAA at query.c:7094
[root at pridns ~]#

However, this zone file /etc/named.data/db.ynu.edu.cn.intranet is almost the same as other zone file from different view.

2023-12-18 04:18:06 "Nick Tait via bind-users" <bind-users at lists.isc.org> 写道：
> On 17/12/2023 5:30 pm, liudonghua at ynu.edu.cn wrote:
> > I found this zone file got updated in about 15 minutes when I made 
> > changes or restarted named, and this behavior seems match the docs 
> > bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can 
> > confirm I DO NOT configure allow-update or update-policy. I even add 
> > "allow-update {none;}; // no DDNS by default" in the zone block of the 
> > problematic view. Is there any chances this configuration comes from 
> > other config file or named build options?
> 
> Are you using DNSSEC with this zone? Your config extract doesn't show 
> it, but what you described sounds like BIND might be resigning the zone 
> file and writing the new signed zone over top of the original file? If 
> so, the solution is to use inline-signing: 
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
> 
> Note that there have been many improvements in BIND's support for DNSSEC 
> over the last few years, so if this is a server that you've inherited, 
> it is probably worth reviewing the DNSSEC configuration options to see 
> if it can be improved?
> 
> Nick.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users