BIND 9.11.1-P3 revives expired zones briefly during reconfig
Mukund Sivaraman
muks at isc.org
Sun Aug 6 18:28:47 UTC 2017
On Sun, Aug 06, 2017 at 08:07:51PM +0200, Anand Buddhdev wrote:
> On 06/08/2017 13:49, Mukund Sivaraman wrote:
>
> Hi Mukund,
>
> > Which exact version of 9.11 is this? Is their master NSD or some 3rd
> > party signer? Can you create a bug ticket with your named config
> > (named-checkconf -px) ?
>
> As I wrote in the subject, it's BIND 9.11.1-P3. The masters of these
Sorry Anand, I missed that :)
> name servers are unknown, but I can attempt to probe them with
> ch/txt/version.bind queries to try and find out.
I wonder if the zones on the slaves expired because the slave was not
able to XFR them. After the recent TSIG CVE, for about a week, we had a
(non-security) bug in BIND due to which named didn't correctly validate
a kind of TSIG signed AXFR/IXFR (specifically BIND as slave receiving
from NSD as master was affected by the bug - due to BIND's fault). It
was fixed soon after in another patch release.
9.11.1-P3 has the fix for this, but I wonder if the older 9.10 release
that you were running had this bug that prevented successful transfers
of the slave zones that caused them to expire, which cause them to be
unloaded on startup.
Or there could be some other reason. :)
> Will the bug report be publicly viewable?
You can send it to bind9-confidential at isc.org.
Mukund
More information about the bind-users
mailing list