1. Docs
  2. ISC Bug #36196 In-line signing: raw and secure zones are getting out-of-sync

ISC Bug #36196 In-line signing: raw and secure zones are getting out-of-sync

Steps to reproduce the problem

  1. Configure insecure master zone “inline.test.” and allow dynamic updates for it.

    zone "inline.test" in {
   type master;
   file "inline.test.db";
   allow-update { any; };
};

  2. Do a dynamic update:

    # nsupdate << EOF
update add a.inline.test. 3600 IN A 10.0.0.1
send
EOF

  3. Shutdown server:

    # rndc halt

  4. Enable in-line signing for zone inline.test. and start server.

    zone "inline.test" in {
   type master;
   file "inline.test.db";
   key-directory "/var/named/keys";
   allow-update { any; };
   auto-dnssec maintain;
   inline-signing yes;
};

  5. Shutdown server again.

    # rndc halt

  6. Disable in-line signing for zone inline.test. and start server.

  7. Do more dynamic updates:

    # nsupdate << EOF
update del a.inline.test. 3600 IN A 10.0.0.1
send
update add a.inline.test. 3600 IN A 10.0.0.2
send
EOF

  8. Shutdown server once again.

    # rndc halt

  9. Enable in-line signing for zone inline.test. and start server.

  10. See what happened:

    # dig a.inline.test
;; ANSWER SECTION:
a.inline.test.        3600    IN    A    10.0.0.1
a.inline.test.        3600    IN    A    10.0.0.2

Problem analysis

IMHO the problem is that receive_secure_db() doesn’t record source serial to secure zone’s journal.

Consequently, receive_secure_serial() re-reads more journal records than it should. As a result, dns_diff_appendminimal() calls in sync_secure_journal() coalesce changes which should not be coalesced.

In the example above it means that sequence:

update add a.inline.test. 3600 IN A 10.0.0.1
update del a.inline.test. 3600 IN A 10.0.0.1

is deleted from diff to-be-applied to secure zone.

© Copyright 2017, bind-dyndb-ldap contributors. Created using Sphinx.