Zone file got updated via named process unexpected
liudonghua at ynu.edu.cn
liudonghua at ynu.edu.cn
Tue Dec 19 01:30:51 UTC 2023
hi, I did not use or configure DNSSEC or Dynamic DNS, I have also disabled DNSSEC via `dnssec-validation no;`, I also tried to use `dnssec-enable no;` and `dnssec-lookaside no;`, but these configuration is not exists anymore for the new bind 9.18.20 I updated.
I also checked if I am using DNSSEC via `dnssec-checkds`.
[root at pridns ~]# dnssec-checkds -f /etc/named.data/db.ynu.edu.cn.intranet ynu.edu.cn
dnssec-dsfromkey: fatal: no DNSKEY RR for ynu.edu.cn in /etc/named.data/db.ynu.edu.cn.intranet
No DNSKEY records found in zone apex
[root at pridns ~]# echo $?
1
[root at pridns ~]#
And not log in `dnssec_log` after I configured DNSSEC logging from https://bind9.readthedocs.io/en/latest/dnssec-guide.html#bind-dnssec-debug-logging.
Is it a problem of SOA serial number, after I updated this value, the zone file did not change anymore, but this zone does not load from `rndc dumpdb -all` output.
# parts of /var/named/data/cache_dump.db
; Zone dump of 'ynu.edu.cn/IN/INTRANET'
;
; zone not loaded
[root at pridns ~]# tail -f /var/log/named/dns-default.log|grep 113.55.127.140
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe6f000da68 113.55.127.140#54309 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/A at query.c:5673
19-Dec-2023 09:28:47.481 query-errors: info: client @0x7fe70049a218 113.55.127.140#54310 (www.ynu.edu.cn): view INTRANET: query failed (zone not loaded) for www.ynu.edu.cn/IN/AAAA at query.c:5673
19-Dec-2023 09:28:47.483 client: debug 1: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/A (CD=0)
19-Dec-2023 09:28:47.483 query-errors: info: client @0x7fe6fd8b9c98 113.55.127.140#54311 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/A at query.c:7094
19-Dec-2023 09:28:47.484 client: debug 1: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: servfail cache hit www.ynu.edu.cn/AAAA (CD=0)
19-Dec-2023 09:28:47.484 query-errors: info: client @0x7fe70049a218 113.55.127.140#54312 (www.ynu.edu.cn): view INTRANET: query failed (SERVFAIL) for www.ynu.edu.cn/IN/AAAA at query.c:7094
[root at pridns ~]#
However, this zone file /etc/named.data/db.ynu.edu.cn.intranet is almost the same as other zone file from different view.
2023-12-18 04:18:06 "Nick Tait via bind-users" <bind-users at lists.isc.org> 写道:
> On 17/12/2023 5:30 pm, liudonghua at ynu.edu.cn wrote:
> > I found this zone file got updated in about 15 minutes when I made
> > changes or restarted named, and this behavior seems match the docs
> > bind9.readthedocs.io/en/latest/chapter6.html#dynamic-update, but I can
> > confirm I DO NOT configure allow-update or update-policy. I even add
> > "allow-update {none;}; // no DDNS by default" in the zone block of the
> > problematic view. Is there any chances this configuration comes from
> > other config file or named build options?
>
> Are you using DNSSEC with this zone? Your config extract doesn't show
> it, but what you described sounds like BIND might be resigning the zone
> file and writing the new signed zone over top of the original file? If
> so, the solution is to use inline-signing:
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
>
> Note that there have been many improvements in BIND's support for DNSSEC
> over the last few years, so if this is a server that you've inherited,
> it is probably worth reviewing the DNSSEC configuration options to see
> if it can be improved?
>
> Nick.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list