BIND 9.9.0 Inline-Signing Out of Control

David Kreindler david at govnet.state.vt.us
Mon Mar 5 12:46:32 UTC 2012 

We thought of two other differences between this zone and the others:

1. this zone has NS records with servers that are in the zone itself, and
2. our global "also-notify" option contain IP addresses that resolve to host names in this zone.

Could the problem be the result of the servers notifying each other?

On 2 Mar 2012, at 5:13 PM, David Kreindler wrote:

> When BIND 9.9.0 was released, we started converting our DNSSEC-signed zones to inline signing.
> 
> Everything went smoothly with all but one of our zones ("pesky.zone", below). With that zone, after named signed it and completed an AXFR-style IXFR to each of four slaves, it proceeded to start repeatedly incrementing the SOA serial and retransferring. By the time we stopped it, named had incremented the serial almost 200 times, with corresponding IXFRs.
> 
> There is nothing different about this zone from any of our others, except that it contains somewhat more RRs. (There are no dynamic updates permitted, no DS records for delegated subdomains, nothing else that we could think of to explain the behavior.)
> 
> Why would named go crazy when we configure inline signing for this one zone, when all of our other zones are working fine with inline signing?
> 
> 	Mar  2 14:33:14 ns0 named[806928]: received control channel command 'reconfig'
> 	Mar  2 14:33:14 ns0 named[806928]: loading configuration from '/etc/named.conf'
> 	Mar  2 14:33:14 ns0 named[806928]: reading built-in trusted keys from file '/etc/bind.keys'
> 	Mar  2 14:33:14 ns0 named[806928]: using default UDP/IPv4 port range: [1024, 65535]
> 	Mar  2 14:33:14 ns0 named[806928]: using default UDP/IPv6 port range: [1024, 65535]
> 	Mar  2 14:33:14 ns0 named[806928]: prefix length for ::1 is unknown (assume 128)
> 	Mar  2 14:33:14 ns0 named[806928]: sizing zone task pool based on 207 zones
> 	Mar  2 14:33:15 ns0 named[806928]: zone pesky.zone/IN: (master) removed
> 	Mar  2 14:33:15 ns0 named[806928]: prefix length for ::1 is unknown (assume 128)
> 	Mar  2 14:33:15 ns0 named[806928]: reloading configuration succeeded
> 	Mar  2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (unsigned): loaded serial 2012030200
> 	Mar  2 14:33:15 ns0 named[806928]: any newly configured zones are now loaded
> 	...
> 	Mar  2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): loaded serial 2012030200
> 	Mar  2 14:33:15 ns0 daemon:err|error named[806928]: zone pesky.zone/IN (signed): receive_secure_serial: unchanged
> 	Mar  2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): reconfiguring zone keys
> 	Mar  2 14:33:16 ns0 named[806928]: zone pesky.zone/IN (signed): next key event: 02-Mar-2012 15:33:15.740
> 	Mar  2 14:33:16 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:17 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:17 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:17 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
> 	Mar  2 14:33:17 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:18 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
> 	Mar  2 14:33:18 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
> 	Mar  2 14:33:18 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended
> 	Mar  2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:21 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:21 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:21 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:22 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:22 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:22 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:26 ns0 named[806928]: client [ns3]#42945/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:26 ns0 named[806928]: client [ns3]#42945/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:26 ns0 named[806928]: client [ns2]#52230/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:26 ns0 named[806928]: client [ns4]#48702/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:26 ns0 named[806928]: client [ns1]#51608/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:27 ns0 named[806928]: client [ns4]#48702/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:27 ns0 named[806928]: client [ns2]#52230/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:27 ns0 named[806928]: client [ns1]#51608/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:31 ns0 named[806928]: client [ns3]#42947/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:31 ns0 named[806928]: client [ns3]#42947/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:31 ns0 named[806928]: client [ns1]#51609/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:31 ns0 named[806928]: client [ns4]#48703/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:31 ns0 named[806928]: client [ns2]#52231/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:32 ns0 named[806928]: client [ns4]#48703/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:32 ns0 named[806928]: client [ns1]#51609/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:32 ns0 named[806928]: client [ns2]#52231/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:36 ns0 named[806928]: client [ns3]#42952/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:36 ns0 named[806928]: client [ns3]#42952/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns2]#52232/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns4]#48706/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns1]#51610/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns2]#52232/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns4]#48706/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:37 ns0 named[806928]: client [ns1]#51610/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:41 ns0 named[806928]: client [ns3]#42954/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns3]#42954/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns4]#48709/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns2]#52233/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns1]#51611/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns4]#48709/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns2]#52233/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:42 ns0 named[806928]: client [ns1]#51611/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:46 ns0 named[806928]: client [ns3]#42957/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns3]#42957/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns1]#51612/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns2]#52234/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns4]#48710/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns1]#51612/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns4]#48710/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:47 ns0 named[806928]: client [ns2]#52234/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns3]#42960/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns3]#42960/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns1]#51613/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns4]#48713/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns2]#52235/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns4]#48713/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns1]#51613/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:52 ns0 named[806928]: client [ns2]#52235/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:57 ns0 named[806928]: client [ns3]#42962/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:33:57 ns0 named[806928]: client [ns3]#42962/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:57 ns0 named[806928]: client [ns1]#51614/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:33:57 ns0 named[806928]: client [ns4]#48715/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:33:57 ns0 named[806928]: client [ns2]#52236/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:33:58 ns0 named[806928]: client [ns4]#48715/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:58 ns0 named[806928]: client [ns1]#51614/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:33:58 ns0 named[806928]: client [ns2]#52236/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:34:02 ns0 named[806928]: client [ns3]#42963/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3
> 	Mar  2 14:34:02 ns0 named[806928]: client [ns3]#42963/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:34:02 ns0 named[806928]: client [ns4]#48718/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4
> 	Mar  2 14:34:02 ns0 named[806928]: client [ns2]#52237/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2
> 	Mar  2 14:34:02 ns0 named[806928]: client [ns1]#51615/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1
> 	Mar  2 14:34:03 ns0 named[806928]: client [ns4]#48718/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:34:03 ns0 named[806928]: client [ns2]#52237/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	Mar  2 14:34:03 ns0 named[806928]: client [ns1]#51615/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended
> 	....
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list