Bug #8197
closed
BIND UI fails to properly update zone with inline DNSSEC signing enabled
0%
Description
2.4.2-RELEASE with BIND 9.11_9 on SG-4860
Steps to reproduce:
1) Install pfSense 2.4.2-RELEASE and the BIND package, and setup a standard configuration with LAN and WAN port.
2) Disable built-in DNS Resolver and DNS Forwarder packages.
3) Enable BIND and configure it to listen on all interfaces. Confirm BIND responds to requests on the LAN interface IP.
4) Configure a master zone for the domain of your choice, enable inline DNSSEC signing on this zone, and confirm BIND responds to requests for DNS records in this zone.
5) Add a new A record for the host "test" under this zone, with the IP of your choice, and save. At this point, BIND should respond to requests for this host.
6) Remove this host "test", and save. At this point, BIND still responds to requests for the now-deleted record.
I've confirmed that the zone's ".DB" file (in /cf/named/etc/namedb/master/<view>) is correct at this point, but the problem seems to be one or more of the ".DB.jbk", ".DB.signed", and ".DB.signed.jnl" files. Disabling inline DNSSEC signing in the UI will correct the problem with no further action, at the expense of DNSSEC of course. Removing these three files and restarting BIND also appears to correct the problem by causing the files to be regenerated without the now-removed DNS record. Presumably the UI is missing some step that should cause this update to occur in a less destructive manner.
Updated by Jared Dillard
Updated by Azamat Khakimyanov about 1 month ago
- Status changed from New to Resolved
I've tested it on 21.02.2 and on latest 24.03
I was able to reproduce this issue on 21.02.2 (BIND 9.16_17) - BIND continued to send DNS Queries for FQDNs (with their IPs) which were just deleted.
On 24.03 (BIND 9.17) there was no more such behavior. BIND sent 'No such name' DNS queries for the FQDNs which were deleted.
I marked this Bug as resolved.