Bug#992379: bind9: bind-9.16.15 + dnssec-policy in options{} = assertion failure abort/crash

Tue, 17 Aug 2021 21:30:24 -0700 

Package: bind9
Version: 1:9.16.15-1
Severity: important

Dear Maintainer,

Bind has a dnssec-policy {} stanza for defining your
own policy if you're feeling adventurous, but there's
also a default policy. And there's a dnssec-policy
usage directive to specify which dnssec-policy should
be applied to zones.

Bind's documentation says that the dnssec-policy usage
directive can either appear in the options {} stanza,
so as to apply to all zones, or it can appear in
individual zone {} stanzas.

My advice is:

  DO NOT PUT DNSSEC-POLICY IN THE OPTIONS {} STANZA.
  ONLY PUT DNSSEC-POLICY IN THE ZONE {} STANZAS.

I put it in the options {} stanza, not realising that
"all zones" doesn't just mean all of *my* authoritative
zones. It really means ALL zones. That means every zone
/etc/bind/named.conf.local (i.e. my zones), as well as
every zone in /etc/bind/named.conf.default-zones i.e.:

  localhost
  127.in-addr.arpa
  0.in-addr.arpa
  255.in-addr.arpa

And, if you uncomment the include "/etc/bind/zones.rfc1918"
in /etc/bind/named.conf.local, then it also means all of
those zones as well:

  16.172.in-addr.arpa
  17.172.in-addr.arpa
  ...
  31.172.in-addr.arpa
  168.192.in-addr.arpa

What happens next is that bind tries and fails to
create .jnl files in /etc/bind for these zones.
Apparmor or the directory permissions prevents it.
This sort of thing appears in the logs:

  general: error: /etc/bind/db.empty.jnl: create: permission denied
  general: error: /etc/bind/db.255.jnl: create: permission denied

Then bind gets an assertion failure and exits:

  general: notice: all zones loaded
  general: notice: running
  general: critical: rbtdb.c:6780: REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3
    && (rdataset->type == ((dns_rdatatype_t)dns_rdatatype_nsec3) || 
rdataset->covers
    == ((dns_rdatatype_t)dns_rdatatype_nsec3))) || (rbtnode->nsec != 
DNS_RBT_NSEC_NSEC3
    && rdataset->type != ((dns_rdatatype_t)dns_rdatatype_nsec3) && 
rdataset->covers
    != ((dns_rdatatype_t)dns_rdatatype_nsec3)))) failed, back trace
  general: critical: #0 0x558ce49ffeed in ??
  general: critical: #1 0x7fd079be6d9a in ??
  general: critical: #2 0x7fd079d7f73c in ??
  general: critical: #3 0x7fd079e45680 in ??
  general: critical: #4 0x7fd079c1b720 in ??
  general: critical: #5 0x7fd079c20f52 in ??
  general: critical: #6 0x7fd07995cea7 in ??
  general: critical: #7 0x7fd079590def in ??
  general: critical: exiting (due to assertion failure)

This repeats again and again until you work out what
happened, clean everything up, remove the dnssec-policy
from the options {} stanza, and restart bind.

And, unless I went temporarily insane, it even managed
somehow to overwrite my source zonefiles with signed
versions, and I had to restore them from backup. When
it works properly, it puts the signed versions in
separate files.

However, if you put the dnssec-policy usage directive in the
zone {} stanzas instead, it's absolutely brilliant.

But that's just a workaround. A fix would be to patch bind
so that the dnssec-policy directive in the options {} stanza
does not apply to the localhost zone or any .in-addr.arpa zones.

cheers,
raf

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                3.118
ii  bind9-libs             1:9.16.15-1
ii  bind9-utils            1:9.16.15-1
ii  debconf [debconf-2.0]  1.5.77
ii  dns-root-data          2021011101
ii  init-system-helpers    1.60
ii  iproute2               5.10.0-4
ii  libc6                  2.31-13
ii  libcap2                1:2.44-1
ii  libfstrm0              0.6.0-1+b1
ii  libjson-c5             0.15-2
ii  liblmdb0               0.9.24-1
ii  libmaxminddb0          1.5.2-1
ii  libprotobuf-c1         1.3.3-1+b2
ii  libssl1.1              1.1.1k-1
ii  libuv1                 1.40.0-2
ii  libxml2                2.9.10+dfsg-6.7
ii  lsb-base               11.1.0
ii  netbase                6.3
ii  zlib1g                 1:1.2.11.dfsg-2

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind-doc                   <none>
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1
ii  dnsutils                   1:9.16.15-1
pn  resolvconf                 <none>
pn  ufw                        <none>

-- Configuration Files:
/etc/apparmor.d/local/usr.sbin.named changed [not included]
/etc/apparmor.d/usr.sbin.named changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]

-- debconf information:
  bind9/run-resolvconf: false
  bind9/different-configuration-file:
  bind9/start-as-user: bind

Reply via email to