Red Hat Bugzilla – Bug 608362
latest bind update references non-existent DNSSEC files, kills server
Last modified: 2013-07-02 22:37:51 EDT
Created attachment 427161 [details]
post-upgrade named.conf, including non-existent (non-shipped) files
Description of problem:
Fedora 12 update to latest bind killed all DNS resolution on my network. The update added references to non-existent files.
1) include files appended to my existing /etc/named.conf did not exist:
2) include files referenced in /etc/named.dnssec.keys did not exist either:
3) By including the one file that DOES exist, /etc/named.iscdlv.key, I was able to get the server working again.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run a minimal named.conf (similar to the attached)
2. upgrade Fedora 12 bind to latest
3. watch DNS resolution fail, due to included files not existing
server will not start
server will start and resolve addresses
See attached named.conf. IMPORTANT NOTE: This named.conf is post-upgrade version, hacked to work as described in #3 at top. I do not have a backup of the pre-upgrade version.
I'll add a 'me too' to the list, though I hit it with Fedora 11
Short version of the problem seems to be this:
unbound (the package) has pushed itself out as an obsoletes against dnssec-conf (not that I'm objecting to obsoleting dnssec-conf). So the original rpm dependency tree was:
-- dnssec-conf --+
but the spec changes to unbound makes the dependency tree now look like:
-- unbound ---- bind
since unbound doesn't provide the files (or remove the information from the bind configuration files) more or less DNS utterly breaks. It's possible that bind won't even start without dnssec-conf being present due to the fact that it calls into it from the init script.
Suffice it to say, unbound updating without a simultaneous update of bind is at least part of the cause of this problem.
Keep in mind that it is also absolutely essential that unauthenticable information is not allowed to enter the DNS cache system. Filtering only at the client doesn't work due to the plethora of legacy and embedded clients.
(In reply to comment #0)
> Steps to Reproduce:
> 1. run a minimal named.conf (similar to the attached)
> 2. upgrade Fedora 12 bind to latest
> 3. watch DNS resolution fail, due to included files not existing
Can you please check if yum automatically installed unbound package before you actually updated the bind package?
At least for me, unbound was installed automatically on several systems (F11 and F12) because of dependency resolution.
(In reply to comment #4)
> At least for me, unbound was installed automatically on several systems (F11
> and F12) because of dependency resolution.
Then this bug is a duplicate of bug #606478. Unfortunately there is nothing more I can do, as explained in https://bugzilla.redhat.com/show_bug.cgi?id=606478#c12 and https://bugzilla.redhat.com/show_bug.cgi?id=606478#c13.
*** This bug has been marked as a duplicate of bug 606478 ***