WARNING: debian11 + bind-9.16.15 + dnssec-policy in options{} = crashes
Hi,
If like me, you've been eagerly awaiting debian11 to
get bind-9.16.15, which finally lets you implement
DNSSEC extremely easily on debian stable, I have a
warning.
Bind has a dnssec-policy {} stanza for defining your
own policy if you're feeling adventurous, but there's
also a default policy. And there's a dnssec-policy
usage directive to specify which dnssec-policy should
be applied to zones.
Bind's documentation says that the dnssec-policy usage
directive can either appear in the options {} stanza,
so as to apply to all zones, or it can appear in
individual zone {} stanzas.
My advice is:
DO NOT PUT DNSSEC-POLICY IN THE OPTIONS {} STANZA.
ONLY PUT DNSSEC-POLICY IN THE ZONE {} STANZAS.
I put it in the options {} stanza, not realising that
"all zones" doesn't just mean all of *my* authoritative
zones. It really means ALL zones. That means every zone
/etc/bind/named.conf.local (i.e. my zones), as well as
every zone in /etc/bind/named.conf.default-zones i.e.:
localhost
127.in-addr.arpa
0.in-addr.arpa
255.in-addr.arpa
And, if you uncomment the include "/etc/bind/zones.rfc1918"
in /etc/bind/named.conf.local, then it also means all of
those zones as well:
16.172.in-addr.arpa
17.172.in-addr.arpa
...
31.172.in-addr.arpa
168.192.in-addr.arpa
What happens next is that bind tries and fails to
create .jnl files in /etc/bind for these zones.
Apparmor or the directory permissions prevents it.
This sort of thing appears in the logs:
general: error: /etc/bind/db.empty.jnl: create: permission denied
general: error: /etc/bind/db.255.jnl: create: permission denied
Then bind gets an assertion failure and exits:
general: notice: all zones loaded
general: notice: running
general: critical: rbtdb.c:6780: REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3
&& (rdataset->type == ((dns_rdatatype_t)dns_rdatatype_nsec3) || rdataset->covers
== ((dns_rdatatype_t)dns_rdatatype_nsec3))) || (rbtnode->nsec != DNS_RBT_NSEC_NSEC3
&& rdataset->type != ((dns_rdatatype_t)dns_rdatatype_nsec3) && rdataset->covers
!= ((dns_rdatatype_t)dns_rdatatype_nsec3)))) failed, back trace
general: critical: #0 0x558ce49ffeed in ??
general: critical: #1 0x7fd079be6d9a in ??
general: critical: #2 0x7fd079d7f73c in ??
general: critical: #3 0x7fd079e45680 in ??
general: critical: #4 0x7fd079c1b720 in ??
general: critical: #5 0x7fd079c20f52 in ??
general: critical: #6 0x7fd07995cea7 in ??
general: critical: #7 0x7fd079590def in ??
general: critical: exiting (due to assertion failure)
This repeats again and again until you work out what
happened, clean everything up, remove the dnssec-policy
from the options {} stanza, and restart bind.
And, unless I went temporarily insane, it even managed
somehow to overwrite my source zonefiles with signed
versions, and I had to restore them from backup. When
it works properly, it puts the signed versions in
separate files.
However, if you put the dnssec-policy usage directive in the
zone {} stanzas instead, it's absolutely brilliant.
So, go nuts. DNSSEC all the zones!
Well, not *ALL* the zones.
You know what I mean. :-)
cheers,
raf
Reply to: