How an OOM Issue With BIND 9 Led to Discovering a Memory Allocator Glitch
We recently dealt with an interesting case of a fleet of BIND 9.Read post
Today, ISC is publishing a new beta release of BIND 9.9.0. As several new features have been added since the feature preview I posted on the occasion of the first alpha release, it would seem to be a good time for an update.
The new ‘inline-signing’ option, in combination with the ‘auto-dnssec’ option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Before now, automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone.
In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload,
named detects the incremental changes that have been made to the raw version of the zone and applies those changes to the signed version, adding signatures as needed.
A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables “bump in the wire” signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data).
Note: A known bug in this release can cause master zones that use inline-signing to lose synchronization between the signed and unsigned versions. This will be addressed in a future release; in the meantime, this feature should be considered experimental. The problem has not been seen when using inline-signing with slave zones.
Other DNSSEC improvements
The new ‘rndc signing’ command provides greater visibility and control of the automatic DNSSEC signing process. When a zone is being signed, records are inserted into the zone indicating which keys are currently in the process of signing and which have finished (this enables
named to resume the process correctly if there is a crash before the zone is fully signed). That state information is now visible:
What's New from ISC