[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

WARNING: debian11 + bind-9.16.15 + dnssec-policy in options{} = crashes

Hi,

If like me, you've been eagerly awaiting debian11 to
get bind-9.16.15, which finally lets you implement
DNSSEC extremely easily on debian stable, I have a
warning.

Bind has a dnssec-policy {} stanza for defining your
own policy if you're feeling adventurous, but there's
also a default policy. And there's a dnssec-policy
usage directive to specify which dnssec-policy should
be applied to zones.

Bind's documentation says that the dnssec-policy usage
directive can either appear in the options {} stanza,
so as to apply to all zones, or it can appear in
individual zone {} stanzas.

My advice is:

  DO NOT PUT DNSSEC-POLICY IN THE OPTIONS {} STANZA.
  ONLY PUT DNSSEC-POLICY IN THE ZONE {} STANZAS.

I put it in the options {} stanza, not realising that
"all zones" doesn't just mean all of *my* authoritative
zones. It really means ALL zones. That means every zone
/etc/bind/named.conf.local (i.e. my zones), as well as
every zone in /etc/bind/named.conf.default-zones i.e.:

  localhost
  127.in-addr.arpa
  0.in-addr.arpa
  255.in-addr.arpa

And, if you uncomment the include "/etc/bind/zones.rfc1918"
in /etc/bind/named.conf.local, then it also means all of
those zones as well:

  16.172.in-addr.arpa
  17.172.in-addr.arpa
  ...
  31.172.in-addr.arpa
  168.192.in-addr.arpa

What happens next is that bind tries and fails to
create .jnl files in /etc/bind for these zones.
Apparmor or the directory permissions prevents it.
This sort of thing appears in the logs:

  general: error: /etc/bind/db.empty.jnl: create: permission denied
  general: error: /etc/bind/db.255.jnl: create: permission denied

Then bind gets an assertion failure and exits:

  general: notice: all zones loaded
  general: notice: running
  general: critical: rbtdb.c:6780: REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3
    && (rdataset->type == ((dns_rdatatype_t)dns_rdatatype_nsec3) || rdataset->covers
    == ((dns_rdatatype_t)dns_rdatatype_nsec3))) || (rbtnode->nsec != DNS_RBT_NSEC_NSEC3
    && rdataset->type != ((dns_rdatatype_t)dns_rdatatype_nsec3) && rdataset->covers
    != ((dns_rdatatype_t)dns_rdatatype_nsec3)))) failed, back trace
  general: critical: #0 0x558ce49ffeed in ??
  general: critical: #1 0x7fd079be6d9a in ??
  general: critical: #2 0x7fd079d7f73c in ??
  general: critical: #3 0x7fd079e45680 in ??
  general: critical: #4 0x7fd079c1b720 in ??
  general: critical: #5 0x7fd079c20f52 in ??
  general: critical: #6 0x7fd07995cea7 in ??
  general: critical: #7 0x7fd079590def in ??
  general: critical: exiting (due to assertion failure)

This repeats again and again until you work out what
happened, clean everything up, remove the dnssec-policy
from the options {} stanza, and restart bind.

And, unless I went temporarily insane, it even managed
somehow to overwrite my source zonefiles with signed
versions, and I had to restore them from backup. When
it works properly, it puts the signed versions in
separate files.

However, if you put the dnssec-policy usage directive in the
zone {} stanzas instead, it's absolutely brilliant.

So, go nuts. DNSSEC all the zones!
Well, not *ALL* the zones.
You know what I mean. :-)

cheers,
raf
Reply to: