BIND 9.9.0 Inline-Signing Out of Control
David Kreindler
david at govnet.state.vt.us
Fri Mar 2 22:13:08 UTC 2012
When BIND 9.9.0 was released, we started converting our DNSSEC-signed zones to inline signing.
Everything went smoothly with all but one of our zones ("pesky.zone", below). With that zone, after named signed it and completed an AXFR-style IXFR to each of four slaves, it proceeded to start repeatedly incrementing the SOA serial and retransferring. By the time we stopped it, named had incremented the serial almost 200 times, with corresponding IXFRs.
There is nothing different about this zone from any of our others, except that it contains somewhat more RRs. (There are no dynamic updates permitted, no DS records for delegated subdomains, nothing else that we could think of to explain the behavior.)
Why would named go crazy when we configure inline signing for this one zone, when all of our other zones are working fine with inline signing?
Mar 2 14:33:14 ns0 named[806928]: received control channel command 'reconfig'
Mar 2 14:33:14 ns0 named[806928]: loading configuration from '/etc/named.conf'
Mar 2 14:33:14 ns0 named[806928]: reading built-in trusted keys from file '/etc/bind.keys'
Mar 2 14:33:14 ns0 named[806928]: using default UDP/IPv4 port range: [1024, 65535]
Mar 2 14:33:14 ns0 named[806928]: using default UDP/IPv6 port range: [1024, 65535]
Mar 2 14:33:14 ns0 named[806928]: prefix length for ::1 is unknown (assume 128)
Mar 2 14:33:14 ns0 named[806928]: sizing zone task pool based on 207 zones
Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN: (master) removed
Mar 2 14:33:15 ns0 named[806928]: prefix length for ::1 is unknown (assume 128)
Mar 2 14:33:15 ns0 named[806928]: reloading configuration succeeded
Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (unsigned): loaded serial 2012030200
Mar 2 14:33:15 ns0 named[806928]: any newly configured zones are now loaded
...
Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): loaded serial 2012030200
Mar 2 14:33:15 ns0 daemon:err|error named[806928]: zone pesky.zone/IN (signed): receive_secure_serial: unchanged
Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): reconfiguring zone keys
Mar 2 14:33:16 ns0 named[806928]: zone pesky.zone/IN (signed): next key event: 02-Mar-2012 15:33:15.740
Mar 2 14:33:16 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns3
Mar 2 14:33:17 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns4
Mar 2 14:33:17 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns2
Mar 2 14:33:17 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
Mar 2 14:33:17 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns1
Mar 2 14:33:18 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
Mar 2 14:33:18 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
Mar 2 14:33:18 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
Mar 2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:21 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:21 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:21 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:22 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:22 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:22 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:26 ns0 named[806928]: client [ns3]#42945/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:26 ns0 named[806928]: client [ns3]#42945/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:26 ns0 named[806928]: client [ns2]#52230/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:26 ns0 named[806928]: client [ns4]#48702/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:26 ns0 named[806928]: client [ns1]#51608/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:27 ns0 named[806928]: client [ns4]#48702/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:27 ns0 named[806928]: client [ns2]#52230/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:27 ns0 named[806928]: client [ns1]#51608/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:31 ns0 named[806928]: client [ns3]#42947/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:31 ns0 named[806928]: client [ns3]#42947/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:31 ns0 named[806928]: client [ns1]#51609/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:31 ns0 named[806928]: client [ns4]#48703/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:31 ns0 named[806928]: client [ns2]#52231/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:32 ns0 named[806928]: client [ns4]#48703/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:32 ns0 named[806928]: client [ns1]#51609/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:32 ns0 named[806928]: client [ns2]#52231/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:36 ns0 named[806928]: client [ns3]#42952/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:36 ns0 named[806928]: client [ns3]#42952/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:37 ns0 named[806928]: client [ns2]#52232/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:37 ns0 named[806928]: client [ns4]#48706/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:37 ns0 named[806928]: client [ns1]#51610/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:37 ns0 named[806928]: client [ns2]#52232/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:37 ns0 named[806928]: client [ns4]#48706/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:37 ns0 named[806928]: client [ns1]#51610/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:41 ns0 named[806928]: client [ns3]#42954/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:42 ns0 named[806928]: client [ns3]#42954/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:42 ns0 named[806928]: client [ns4]#48709/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:42 ns0 named[806928]: client [ns2]#52233/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:42 ns0 named[806928]: client [ns1]#51611/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:42 ns0 named[806928]: client [ns4]#48709/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:42 ns0 named[806928]: client [ns2]#52233/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:42 ns0 named[806928]: client [ns1]#51611/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:46 ns0 named[806928]: client [ns3]#42957/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:47 ns0 named[806928]: client [ns3]#42957/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:47 ns0 named[806928]: client [ns1]#51612/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:47 ns0 named[806928]: client [ns2]#52234/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:47 ns0 named[806928]: client [ns4]#48710/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:47 ns0 named[806928]: client [ns1]#51612/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:47 ns0 named[806928]: client [ns4]#48710/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:47 ns0 named[806928]: client [ns2]#52234/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:52 ns0 named[806928]: client [ns3]#42960/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:52 ns0 named[806928]: client [ns3]#42960/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:52 ns0 named[806928]: client [ns1]#51613/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:52 ns0 named[806928]: client [ns4]#48713/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:52 ns0 named[806928]: client [ns2]#52235/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:52 ns0 named[806928]: client [ns4]#48713/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:52 ns0 named[806928]: client [ns1]#51613/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:52 ns0 named[806928]: client [ns2]#52235/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:57 ns0 named[806928]: client [ns3]#42962/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:33:57 ns0 named[806928]: client [ns3]#42962/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:57 ns0 named[806928]: client [ns1]#51614/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:33:57 ns0 named[806928]: client [ns4]#48715/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:33:57 ns0 named[806928]: client [ns2]#52236/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:33:58 ns0 named[806928]: client [ns4]#48715/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:58 ns0 named[806928]: client [ns1]#51614/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:33:58 ns0 named[806928]: client [ns2]#52236/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:34:02 ns0 named[806928]: client [ns3]#42963/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
Mar 2 14:34:02 ns0 named[806928]: client [ns3]#42963/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:34:02 ns0 named[806928]: client [ns4]#48718/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
Mar 2 14:34:02 ns0 named[806928]: client [ns2]#52237/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
Mar 2 14:34:02 ns0 named[806928]: client [ns1]#51615/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
Mar 2 14:34:03 ns0 named[806928]: client [ns4]#48718/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:34:03 ns0 named[806928]: client [ns2]#52237/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
Mar 2 14:34:03 ns0 named[806928]: client [ns1]#51615/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
....
More information about the bind-users
mailing list