Bug 608362 - latest bind update references non-existent DNSSEC files, kills server
latest bind update references non-existent DNSSEC files, kills server
Status: CLOSED DUPLICATE of bug 606478
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
12
All Linux
high Severity urgent
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-26 20:06 EDT by Jeff Garzik
Modified: 2013-07-02 22:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-28 08:30:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
post-upgrade named.conf, including non-existent (non-shipped) files (1.35 KB, application/octet-stream)
2010-06-26 20:06 EDT, Jeff Garzik
no flags Details

  None (edit)
Description Jeff Garzik 2010-06-26 20:06:18 EDT
Created attachment 427161 [details]
post-upgrade named.conf, including non-existent (non-shipped) files

Description of problem:
Fedora 12 update to latest bind killed all DNS resolution on my network.  The update added references to non-existent files.

1) include files appended to my existing /etc/named.conf did not exist:
include "/etc/pki/dnssec-keys/dlv/dlv.isc.org.conf";
include "/etc/pki/dnssec-keys//named.dnssec.keys";
include "/etc/pki/dnssec-keys//dlv/dlv.isc.org.conf";

2) include files referenced in /etc/named.dnssec.keys did not exist either:
include "/etc/pki/dnssec-keys/production/bg.conf";
include "/etc/pki/dnssec-keys/production/br.conf";
include "/etc/pki/dnssec-keys/production/cz.conf";
include "/etc/pki/dnssec-keys/production/gov.conf";
include "/etc/pki/dnssec-keys/production/museum.conf";
include "/etc/pki/dnssec-keys/production/pr.conf";
include "/etc/pki/dnssec-keys/production/se.conf";

3) By including the one file that DOES exist, /etc/named.iscdlv.key, I was able to get the server working again.



Version-Release number of selected component (if applicable):
bind-9.6.2-5.P2.fc12.x86_64
bind-libs-9.6.2-5.P2.fc12.x86_64
bind-utils-9.6.2-5.P2.fc12.x86_64


How reproducible:
always

Steps to Reproduce:
1. run a minimal named.conf (similar to the attached)
2. upgrade Fedora 12 bind to latest
3. watch DNS resolution fail, due to included files not existing
  
Actual results:
server will not start

Expected results:
server will start and resolve addresses

Additional info:

See attached named.conf.  IMPORTANT NOTE:  This named.conf is post-upgrade version, hacked to work as described in #3 at top.  I do not have a backup of the pre-upgrade version.
Comment 1 J.H. 2010-06-27 17:53:01 EDT
I'll add a 'me too' to the list, though I hit it with Fedora 11

Short version of the problem seems to be this:

unbound (the package) has pushed itself out as an obsoletes against dnssec-conf (not that I'm objecting to obsoleting dnssec-conf).  So the original rpm dependency tree was:

                 +-- bind
                 |
-- dnssec-conf --+
                 |
                 +-- unbound

but the spec changes to unbound makes the dependency tree now look like:

-- unbound ---- bind

since unbound doesn't provide the files (or remove the information from the bind configuration files) more or less DNS utterly breaks.  It's possible that bind won't even start without dnssec-conf being present due to the fact that it calls into it from the init script.

Suffice it to say, unbound updating without a simultaneous update of bind is at least part of the cause of this problem.
Comment 2 H. Peter Anvin 2010-06-27 18:07:24 EDT
Keep in mind that it is also absolutely essential that unauthenticable information is not allowed to enter the DNS cache system.  Filtering only at the client doesn't work due to the plethora of legacy and embedded clients.
Comment 3 Adam Tkac 2010-06-28 03:30:18 EDT
(In reply to comment #0)
> Steps to Reproduce:
> 1. run a minimal named.conf (similar to the attached)
> 2. upgrade Fedora 12 bind to latest
> 3. watch DNS resolution fail, due to included files not existing

Can you please check if yum automatically installed unbound package before you actually updated the bind package?
Comment 4 J.H. 2010-06-28 04:04:07 EDT
At least for me, unbound was installed automatically on several systems (F11 and F12) because of dependency resolution.
Comment 5 Adam Tkac 2010-06-28 08:30:31 EDT
(In reply to comment #4)
> At least for me, unbound was installed automatically on several systems (F11
> and F12) because of dependency resolution.    

Then this bug is a duplicate of bug #606478. Unfortunately there is nothing more I can do, as explained in https://bugzilla.redhat.com/show_bug.cgi?id=606478#c12 and https://bugzilla.redhat.com/show_bug.cgi?id=606478#c13.

*** This bug has been marked as a duplicate of bug 606478 ***

Note You need to log in before you can comment on or make changes to this bug.