Bug#1054314: bind9: Obsolete delegation-only option causes startup failure with no logging

Sat, 21 Oct 2023 09:21:16 -0700 

Package: bind9
Version: 1:9.19.17-1
Severity: normal

I've got a bind configuration that's been around for many years at
this point.  Noticed today that named had failed to restart at some
time in the past.  Nothing in /var/log/bind after it had shut down,
nothing visible in systemctl status, nor journalctl -xeu named.service
apart from note of a bad return code.  Running with named -g found it
complaining about these lines in my named.conf.local:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

I don't have a memory of why or when I added these (maybe when bad
lookups suddenly were redirecting to advertising?), but
https://bind9.readthedocs.io/en/v9.18.18/notes.html mentions the
delegation-only option being deprecated.  So, not great that it was
hard to debug, but it's probably peculiar to my configuration.  I
thought it was worth filing a bug in any case anyone else runs across
this.

My fix was simply to remove those two lines since they do not
appear to be relevant any more.  If support for delegation-only has
indeed been removed, it seems a little strange it's not in the bind
release notes etc.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                    3.137
ii  bind9-libs                 1:9.19.17-1
ii  bind9-utils                1:9.19.17-1
ii  debconf [debconf-2.0]      1.5.82
ii  dns-root-data              2023010101
ii  init-system-helpers        1.65.2
ii  iproute2                   6.5.0-4
ii  libc6                      2.37-12
ii  libcap2                    1:2.66-4
ii  libfstrm0                  0.6.1-1
ii  libjson-c5                 0.17-1
ii  liblmdb0                   0.9.31-1
ii  libmaxminddb0              1.7.1-1
ii  libnghttp2-14              1.57.0-1
ii  libprotobuf-c1             1.4.1-1+b1
ii  libssl3                    3.0.11-1
ii  libsystemd0                254.5-1
ii  libuv1                     1.46.0-2
ii  libxml2                    2.9.14+dfsg-1.3
ii  lsb-base                   11.6
ii  netbase                    6.4
ii  sysvinit-utils [lsb-base]  3.08-3
ii  zlib1g                     1:1.2.13.dfsg-3

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind-doc                   <none>
ii  bind9-dnsutils [dnsutils]  1:9.19.17-1
ii  dnsutils                   1:9.19.17-1
ii  resolvconf                 1.91+nmu1
pn  ufw                        <none>

-- Configuration Files:
/etc/apparmor.d/local/usr.sbin.named changed:
/etc/opendkim/keys/** r,
/var/log/bind/** rw,
/var/log/bind/ rw,
/run/named/ rwm,
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
//include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// $Id: named.conf.local,v 1.5 2014/03/11 15:37:22 root Exp chris $
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//zone "com" { type delegation-only; };
//zone "net" { type delegation-only; };
// reduce log verbosity on issues outside our control
logging {
  channel default_file {
    file "/var/log/bind/named.log" versions 3 size 10m;
    print-time yes;
    print-category yes;
  };
  
//  category default  { default_syslog; default_debug; };
  category default  { default_syslog; default_debug;  default_file; };
//  category panic    { default_syslog; default_stderr; default_file; };
//  category packet   {                 default_debug; };
//  category eventlib {                 default_debug; };
  category lame-servers { null; };
  category edns-disabled { null; };
//  category cname { null; };
  channel querylog {
    file "/var/log/bind/queries.log" versions 3 size 10m;
    print-time yes;
  };
  category queries { querylog; };
};
/// Masters
zone "snurgle.org" {
  type master;
  file "/etc/bind/snurgle.db";
};
      
zone "snurgle.com" {
  type master;
  file "/etc/bind/snurglecom.db";
};
            
zone "chiappa.net" {
  type master;
  file "/etc/bind/chiappa.db";
};
zone "chiap.com.pa" {
  type master;
  file "/etc/bind/chiapcompa.db";
};
zone "noelie.org" {
  type master;
  file "/etc/bind/noelie.db";
};
zone "oliverhenry.net" {
  type master;
  file "/etc/bind/oliverhenry.db";
};
zone "chiappa-blanco.com" {
  type master;
  file "/etc/bind/chiappablanco.db";
};
//zone "bostoncommoners.org" {
//  type master;
//  file "/etc/bind/bcfc.db";
//};
      
//zone "barelyunited.org" {
//  type master;
//  file "/etc/bind/barelyunited.db";
//};
            
//zone "i-still-live.org" {
//  type master;
//  file "/etc/bind/istilllive.db";
//};
                  
//zone "naan.org" {
//   type master;
//   file "/etc/bind/naan.db";
//};
                  
zone "roboticschick.org" {
  type master;
  file "/etc/bind/robochick.db";
};
zone "laurelriek.org" {
  type master;
  file "/etc/bind/laurel.db";
};
//zone "tropnevad.org" {
//   type slave;
//   file "tropnevad.ca";
//   masters {
//      66.92.66.179;
//   };
//};
//zone "media-pipe.com" {
//  type master;
//  file "/etc/bind/mediapipe.db";
//};
//zone "waterbedband.com" {
//  type master;
//  file "/etc/bind/waterbedband.db";
//};
zone "bigw.org" {
  type slave;
  file "bigw.ca";
  masters {
    50.244.203.196;
  };
};

/etc/bind/named.conf.options changed:
acl "good-guys" {
        10.1/16;
        127/8;
        localhost;
//      72.93.243.58;
//      72.93.243.59;
//      72.93.243.60;
//      71.174.62.45;
//        74.104.148.229;
        108.7.58.73;
        71.19.149.58; // cirrus
        2605:2700:0:5::4713:953a;
        71.19.144.99; // stratus
        2605:2700:0:2::4713:9063;
};
options {
        directory "/var/cache/bind";
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.
        // forwarders {
        //      0.0.0.0;
        // };
        auth-nxdomain no;    # conform to RFC1035
        //listen-on-v6 { any; };
        allow-transfer  { "good-guys"; };
        allow-query     { any; };
        allow-recursion { "good-guys"; };
        dnssec-validation no;
        statistics-file "/var/run/named/named.stats";
};


-- debconf information:
  bind9/different-configuration-file:
  bind9/run-resolvconf: false
  bind9/start-as-user: bind

Reply via email to