[opensuse] Who is killing my bind on tumbleweed?
Hi all, I'm, trying to migrate my local DNS server, from a old, but correctly(!) working server to an more up-to-date machine. new machine: lsb_release -a LSB Version: n/a Distributor ID: openSUSE Description: openSUSE Tumbleweed Release: 20201021 dig -v DiG 9.16.6 1) eventhough i enambled named with systemctl, after a reboot it does not start automatically 2) after i start named, the daemon IS running, as shown from systemctl status, journalctl -u named, or lsof -i -n -P systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2020-10-23 14:24:37 CEST; 8s ago Process: 7981 ExecStart=/usr/sbin/named.init start (code=exited, status=0/SUCCESS) Main PID: 8022 (named) Tasks: 14 (limit: 4915) Memory: 67.1M CGroup: /system.slice/named.service └─8022 /usr/sbin/named -t /var/lib/named -u named Oct 23 14:24:37 fw11 named[8022]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Oct 23 14:24:37 fw11 named[8022]: automatic empty zone: EMPTY.AS112.ARPA Oct 23 14:24:37 fw11 named[8022]: automatic empty zone: HOME.ARPA Oct 23 14:24:37 fw11 named[8022]: none:98: 'max-cache-size 90%' - setting to 7071MB (out of 7857MB) Oct 23 14:24:37 fw11 named[8022]: configuring command channel from '/etc/rndc.key' Oct 23 14:24:37 fw11 named[8022]: command channel listening on 127.0.0.1#953 Oct 23 14:24:37 fw11 named[8022]: configuring command channel from '/etc/rndc.key' Oct 23 14:24:37 fw11 named[8022]: command channel listening on ::1#953 Oct 23 14:24:37 fw11 named.init[7981]: Starting name server BIND Oct 23 14:24:37 fw11 systemd[1]: Started Berkeley Internet Name Domain (DNS). All seems to be running and listening fine, however: 3) each query kills the deamon, without clear indication, bind's log-file remains empty, and what journalctl tells me, is just as helpfull :-) Oct 23 14:07:10 fw11 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT Oct 23 14:07:10 fw11 systemd[1]: named.service: Failed with result 'signal'. 4) from the archive here, some suggested to do "dnssec-enable no;", but that doen not help either.. Any suggestion? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 23.10.20 14:27, suse@a-domani.nl wrote:
Hi all,
I'm, trying to migrate my local DNS server, from a old, but correctly(!) working server to an more up-to-date machine. new machine: lsb_release -a LSB Version: n/a Distributor ID: openSUSE Description: openSUSE Tumbleweed Release: 20201021
dig -v DiG 9.16.6
1) eventhough i enambled named with systemctl, after a reboot it does not start automatically
We're working on this issue.
4) from the archive here, some suggested to do "dnssec-enable no;", but that doen not help either..
"dnssec-enable" is not supported any more, try setting "dnssec-validation" explicitly to "no". If this helps, one of your forwarders does not support DNSSEC (which is a security issue in its own) so bind/named dos not run properly. The best solution is to use only forwarders which support DNSSEC. You can check if a forwarder does this by running the command dig dnskey . +dnssec @<forwarder-ip> The response must contain "RRSIG DNSKEY" on at least one of the keys in the answer section. We haven't seen it crash in these cases, just that it doesn't resolve names any more (*) Josef (*) As at least one forwarder does not support DNSSEC, the validity of a response cannot be guaranteed, so for the sake of security it does not reslve anything any more. -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nürnberg Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Josef, On 2020-10-23 14:36, Josef Moellers wrote:
On 23.10.20 14:27, suse@a-domani.nl wrote:
Hi all,
I'm, trying to migrate my local DNS server, from a old, but correctly(!)
1) eventhough i enambled named with systemctl, after a reboot it does not start automatically
We're working on this issue. Ok, i'm gratefull for this.
4) from the archive here, some suggested to do "dnssec-enable no;", but that doen not help either..
"dnssec-enable" is not supported any more, try setting "dnssec-validation" explicitly to "no".
Ok, added it, but no difference
If this helps, one of your forwarders does not support DNSSEC (which is a security issue in its own) so bind/named dos not run properly. The best solution is to use only forwarders which support DNSSEC. You can check if a forwarder does this by running the command dig dnskey . +dnssec @<forwarder-ip> The response must contain "RRSIG DNSKEY" on at least one of the keys in the answer section.
We haven't seen it crash in these cases, just that it doesn't resolve names any more (*)
Josef
(*) As at least one forwarder does not support DNSSEC, the validity of a response cannot be guaranteed, so for the sake of security it does not reslve anything any more. OK, this could have been something, as it was pointing to my other internal DNS-server., so i changed it to
forwarders { 8.8.8.8; 8.8.4.4; 1.1.1.1; }; They all have those "RRSIG DNSKEY" lines. netconfig update -f systemctl restart named But, alas, journalctl -u only tells me: Oct 23 15:11:27 fw11 systemd[1]: Started Berkeley Internet Name Domain (DNS). Oct 23 15:11:39 fw11 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT Oct 23 15:11:39 fw11 systemd[1]: named.service: Failed with result 'signal'. (in those 12-second gap, i did a "dig", causing the departure of bind) I fully understand that I made probably some silly typo in one of the records or config file, though the fact that no warning or error-lines are written, makes it hard to tackle.
-- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nürnberg Germany
(HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/23/20 3:33 PM, suse@a-domani.nl wrote:
But, alas, journalctl -u only tells me: Oct 23 15:11:27 fw11 systemd[1]: Started Berkeley Internet Name Domain (DNS). Oct 23 15:11:39 fw11 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT Oct 23 15:11:39 fw11 systemd[1]: named.service: Failed with result 'signal'. (in those 12-second gap, i did a "dig", causing the departure of bind)
I fully understand that I made probably some silly typo in one of the records or config file, though the fact that no warning or error-lines are written, makes it hard to tackle.
If you are interested, attach a debugger to named. I do not believe that the problem here is related to any forwarders or configuration as the daemon quits with an abort(). I suspect some not updated library is causing an issue for you. Did you try to run `zypper ref` and `zypper dup` ? - Adam -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2020-10-23 15:59, Adam Majer wrote:
On 10/23/20 3:33 PM, suse@a-domani.nl wrote:
But, alas, journalctl -u only tells me: Oct 23 15:11:27 fw11 systemd[1]: Started Berkeley Internet Name Domain (DNS). Oct 23 15:11:39 fw11 systemd[1]: named.service: Main process exited, code=killed, status=6/ABRT Oct 23 15:11:39 fw11 systemd[1]: named.service: Failed with result 'signal'. (in those 12-second gap, i did a "dig", causing the departure of bind)
I fully understand that I made probably some silly typo in one of the records or config file, though the fact that no warning or error-lines are written, makes it hard to tackle.
If you are interested, attach a debugger to named. I do not believe that the problem here is related to any forwarders or configuration as the daemon quits with an abort().
I suspect some not updated library is causing an issue for you. Did you try to run `zypper ref` and `zypper dup` ?
- Adam
I did a zypper up... and a required reboot due to kernel-change, (so i thought i was safe) Your lines resulting in: Removing libdns1603-9.16.4-1.1.x86_64 Seems to do the trick. Thanks you very much. I dare breathing again. I know I have to take a fair amount of steps, and all depends on a properly working DNS, so I was at wits-end :-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/23/20 4:19 PM, suse@a-domani.nl wrote:
I did a zypper up... and a required reboot due to kernel-change, (so i thought i was safe)
Your lines resulting in: Removing libdns1603-9.16.4-1.1.x86_64 Seems to do the trick.
Thanks you very much. I dare breathing again. I know I have to take a fair amount of steps, and all depends on a properly working DNS, so I was at wits-end :-)
For Tumbleweed, the only safe way of doing upgrades is `zypper dup` and never with just update. Otherwise you will always get yourself in these situations where things are failing for weird reason. The cause of this is that tumbleweed can rollback versions that otherwise are updates, packages can disappear, etc. Every update of Tumbleweed is the same as upgrading to a new version of a distro ;) So remember, `zypper dup` is your friend on Tumbleweed, even if you do that every day. - Adam -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Adam Majer
-
Josef Moellers
-
suse@a-domani.nl