Package: bind9 Version: 1:9.16.2-3 Severity: critical Justification: breaks unrelated software
Dear Maintainer, Life was good on my DNS server until my recent update to 9.16.2-3. After upgrading, the exact configuration that was happy now fails to start. Example: # named -g -u bind 26-Apr-2020 17:25:50.861 starting BIND 9.16.2-Debian (Stable Release) <id:b310dc7> 26-Apr-2020 17:25:50.861 running on Linux x86_64 5.5.0-2-amd64 #1 SMP Debian 5.5.17-1 (2020-04-15) 26-Apr-2020 17:25:50.861 built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-Co3jFO/bind9-9.16.2=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 26-Apr-2020 17:25:50.861 running as: named -g -u bind 26-Apr-2020 17:25:50.861 compiled by GCC 9.3.0 26-Apr-2020 17:25:50.861 compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 26-Apr-2020 17:25:50.861 linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 26-Apr-2020 17:25:50.861 compiled with libxml2 version: 2.9.10 26-Apr-2020 17:25:50.861 linked to libxml2 version: 20910 26-Apr-2020 17:25:50.861 compiled with json-c version: 0.13.1 26-Apr-2020 17:25:50.861 linked to json-c version: 0.13.1 26-Apr-2020 17:25:50.861 compiled with zlib version: 1.2.11 26-Apr-2020 17:25:50.861 linked to zlib version: 1.2.11 26-Apr-2020 17:25:50.861 ---------------------------------------------------- 26-Apr-2020 17:25:50.861 BIND 9 is maintained by Internet Systems Consortium, 26-Apr-2020 17:25:50.861 Inc. (ISC), a non-profit 501(c)(3) public-benefit 26-Apr-2020 17:25:50.861 corporation. Support and training for BIND 9 are 26-Apr-2020 17:25:50.861 available at https://www.isc.org/support 26-Apr-2020 17:25:50.861 ---------------------------------------------------- 26-Apr-2020 17:25:50.861 found 8 CPUs, using 8 worker threads 26-Apr-2020 17:25:50.861 using 8 UDP listeners per interface 26-Apr-2020 17:25:50.869 using up to 21000 sockets 26-Apr-2020 17:25:50.877 loading configuration from '/etc/bind/named.conf' 26-Apr-2020 17:25:50.881 reading built-in trust anchors from file '/etc/bind/bind.keys' 26-Apr-2020 17:25:50.901 looking for GeoIP2 databases in '/usr/share/GeoIP' 26-Apr-2020 17:25:50.901 using default UDP/IPv4 port range: [1024, 65535] 26-Apr-2020 17:25:50.905 using default UDP/IPv6 port range: [1024, 65535] 26-Apr-2020 17:25:50.905 listening on IPv4 interface lo, 127.0.0.1#5353 26-Apr-2020 17:25:50.913 listening on IPv4 interface br0, 16.1.1.3#5353 26-Apr-2020 17:25:50.917 listening on IPv6 interface lo, ::1#5353 26-Apr-2020 17:25:50.921 unable to set effective uid to 0: Operation not permitted 26-Apr-2020 17:25:50.921 Could not open '//run/named/named.pid'. 26-Apr-2020 17:25:50.921 Please check file and directory permissions or reconfigure the filename. 26-Apr-2020 17:25:50.921 could not open file '//run/named/named.pid': Permission denied 26-Apr-2020 17:25:50.921 generating session key for dynamic DNS 26-Apr-2020 17:25:50.929 unable to set effective uid to 0: Operation not permitted 26-Apr-2020 17:25:50.929 Could not open '//run/named/session.key'. 26-Apr-2020 17:25:50.929 Please check file and directory permissions or reconfigure the filename. 26-Apr-2020 17:25:50.929 could not open file '//run/named/session.key': Permission denied 26-Apr-2020 17:25:50.929 could not create //run/named/session.key 26-Apr-2020 17:25:50.929 failed to generate session key for dynamic DNS: permission denied 26-Apr-2020 17:25:50.929 sizing zone task pool based on 29 zones 26-Apr-2020 17:25:50.933 could not configure root hints from '/usr/share/dns/root.hints': permission denied 26-Apr-2020 17:25:50.957 loading configuration: permission denied 26-Apr-2020 17:25:50.957 exiting (due to fatal error) Usability of entire system (and in fact, all systems on home network) is impaired as primary DNS server is unresponsive and failover to secondary server (after query to primary times out) induces noticeable delay in DNS lookups (and consequently nearly all network operations). I am reverting to previous bind9 package as soon as I file this report. :-( Thanks, -Scott -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser 3.118 ii bind9-libs 1:9.16.2-3 ii bind9-utils 1:9.16.2-3 ii debconf [debconf-2.0] 1.5.74 ii dns-root-data 2019052802 ii init-system-helpers 1.57 ii iproute2 5.6.0-1 ii libc6 2.30-4 ii libcap2 1:2.33-1 ii libfstrm0 0.6.0-1+b1 ii libjson-c4 0.13.1+dfsg-7 ii liblmdb0 0.9.24-1 ii libmaxminddb0 1.3.2-1 ii libprotobuf-c1 1.3.3-1+b1 ii libssl1.1 1.1.1g-1 ii libxml2 2.9.10+dfsg-5 ii lsb-base 11.1.0 ii netbase 6.1 ii zlib1g 1:1.2.11.dfsg-2 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc <none> ii bind9-dnsutils [dnsutils] 1:9.16.2-3 ii dnsutils 1:9.16.2-3 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/named.conf.local changed: // // Do any local configuration here // zone "bailey" { type master; file "/etc/bind/db.bailey"; }; zone "troy.cartasoft.com" { type master; file "/etc/bind/db.troy"; }; zone "ldap.troy.cartasoft.com" { type master; file "/etc/bind/db.ldap"; }; zone "1.1.16.in-addr.arpa" { type master; file "/etc/bind/db.16.1.1"; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.1"; }; zone "200.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.200"; }; // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; /etc/bind/named.conf.options changed: options { directory "/var/cache/bind"; // RSB 1/6/2016 - Use nonstandard port 5353 so there is no conflict with // dnsmasq, and also basically no chance anybody will query us directly // instead of using dnsmasq (which apparently is more unflappable)... // RSB 9/18/2016 - Open external address too for razzleb to query listen-on port 5353 { 127.0.0.1; 16.1.1.3; }; listen-on-v6 port 5353 { ::1; }; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. // query-source address * port 53; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. auth-nxdomain no; # conform to RFC1035 }; // Added manually RSB 2/27/2008 include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; }; }; // Added manually RSB 1/6/2016 //logging { // channel buzz_channel { // file "/var/log/named.log"; // severity debug; // print-category yes; // print-severity yes; // print-time yes; // }; // category default { // buzz_channel; // }; // category queries { // buzz_channel; // }; //}; -- debconf information: bind9/different-configuration-file: bind9/start-as-user: bind bind9/run-resolvconf: false
