bind 9.9 & inline-signing issue..

Evan Hunt each at isc.org
Tue Jan 31 00:37:58 UTC 2012 

>  As you mentioned, even a hard restart of the named process would not cause
> a resign of the zone, and not that I did it the last time around, but for
> sure removing the journal files and .signed zone file would cause named to
> update from the unsigned file and then the signed data would be correct.

Removing the .signed file isn't necessary.  If you do that, named will
regenerate all the signatures for the en tire zone.  If you just eliminate
the journals and update the SOA serial in the unsigned zone file, named
will diff the two files and generate signatures only for the differences.  

>  So I guess that asks the question, what is different between doing an 'rndc
> reload' vs doing an 'rndc reload <zone>', as performing the latter will
> correct the problem it seems with the .signed zones.  I know for a fact the
> serial was updated over here, as I knew not changing that would cause it to
> think nothing changed, or that was my belief.  You really would think that
> doing a full reload on all zones, would have the same exact effect as
> reloading only one, but apparently not.

The bug that we've just fixed today caused 'rndc reload' (without
specifying a zone name) to fail to reuse the current running zone database
the way it's supposed to.  When loading an inline-signing zone, it would
just throw the old database away and load a new one, behaving as if this
was the first time the zone had ever been loaded.  One of the consequences
of that was that it failed to do some consistency checks the way it's
supposed to.  It did the checks the right way when using 'rndc reload <zone>'.

I suspect that something was wrong with the unsigned zone, 'rndc reload'
failed to catch the problem, and so the zone got itself into a weird state.
The exact circumstance in which I've seen this happen involved a failure to
update the SOA serial, but there may be other triggers for it as well.
Having 'rndc reload' behave correctly *should* prevent this sort of problem
from repeating itself in the future.

Our current plan is to roll a BIND 9.9.0rc2 release that includes this
fix; it should be available by tomorrow.  We'd love it if as many people
as possible tested this, particularly the inline-signing features.  If
you're participating in this thread we'd like your input.  The target
date for final release is quite soon, so the more testing we can get
in the next few days, the better.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list