Bug#1054314: marked as done (bind9: Obsolete delegation-only option causes startup failure with no logging)

[Debian Bug Tracking System]

Your message dated Thu, 17 Apr 2025 19:04:47 +0000
with message-id <e1u5uxx-0026ds...@fasolo.debian.org>
and subject line Bug#1054314: fixed in bind9 1:9.20.8-2
has caused the Debian Bug report #1054314,
regarding bind9: Obsolete delegation-only option causes startup failure with no 
logging
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054314
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: bind9
Version: 1:9.19.17-1
Severity: normal

I've got a bind configuration that's been around for many years at
this point.  Noticed today that named had failed to restart at some
time in the past.  Nothing in /var/log/bind after it had shut down,
nothing visible in systemctl status, nor journalctl -xeu named.service
apart from note of a bad return code.  Running with named -g found it
complaining about these lines in my named.conf.local:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

I don't have a memory of why or when I added these (maybe when bad
lookups suddenly were redirecting to advertising?), but
https://bind9.readthedocs.io/en/v9.18.18/notes.html mentions the
delegation-only option being deprecated.  So, not great that it was
hard to debug, but it's probably peculiar to my configuration.  I
thought it was worth filing a bug in any case anyone else runs across
this.

My fix was simply to remove those two lines since they do not
appear to be relevant any more.  If support for delegation-only has
indeed been removed, it seems a little strange it's not in the bind
release notes etc.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii  adduser                    3.137
ii  bind9-libs                 1:9.19.17-1
ii  bind9-utils                1:9.19.17-1
ii  debconf [debconf-2.0]      1.5.82
ii  dns-root-data              2023010101
ii  init-system-helpers        1.65.2
ii  iproute2                   6.5.0-4
ii  libc6                      2.37-12
ii  libcap2                    1:2.66-4
ii  libfstrm0                  0.6.1-1
ii  libjson-c5                 0.17-1
ii  liblmdb0                   0.9.31-1
ii  libmaxminddb0              1.7.1-1
ii  libnghttp2-14              1.57.0-1
ii  libprotobuf-c1             1.4.1-1+b1
ii  libssl3                    3.0.11-1
ii  libsystemd0                254.5-1
ii  libuv1                     1.46.0-2
ii  libxml2                    2.9.14+dfsg-1.3
ii  lsb-base                   11.6
ii  netbase                    6.4
ii  sysvinit-utils [lsb-base]  3.08-3
ii  zlib1g                     1:1.2.13.dfsg-3

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind-doc                   <none>
ii  bind9-dnsutils [dnsutils]  1:9.19.17-1
ii  dnsutils                   1:9.19.17-1
ii  resolvconf                 1.91+nmu1
pn  ufw                        <none>

-- Configuration Files:
/etc/apparmor.d/local/usr.sbin.named changed:
/etc/opendkim/keys/** r,
/var/log/bind/** rw,
/var/log/bind/ rw,
/run/named/ rwm,
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
//include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// $Id: named.conf.local,v 1.5 2014/03/11 15:37:22 root Exp chris $
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//zone "com" { type delegation-only; };
//zone "net" { type delegation-only; };
// reduce log verbosity on issues outside our control
logging {
  channel default_file {
    file "/var/log/bind/named.log" versions 3 size 10m;
    print-time yes;
    print-category yes;
  };
  
//  category default  { default_syslog; default_debug; };
  category default  { default_syslog; default_debug;  default_file; };
//  category panic    { default_syslog; default_stderr; default_file; };
//  category packet   {                 default_debug; };
//  category eventlib {                 default_debug; };
  category lame-servers { null; };
  category edns-disabled { null; };
//  category cname { null; };
  channel querylog {
    file "/var/log/bind/queries.log" versions 3 size 10m;
    print-time yes;
  };
  category queries { querylog; };
};
/// Masters
zone "snurgle.org" {
  type master;
  file "/etc/bind/snurgle.db";
};
      
zone "snurgle.com" {
  type master;
  file "/etc/bind/snurglecom.db";
};
            
zone "chiappa.net" {
  type master;
  file "/etc/bind/chiappa.db";
};
zone "chiap.com.pa" {
  type master;
  file "/etc/bind/chiapcompa.db";
};
zone "noelie.org" {
  type master;
  file "/etc/bind/noelie.db";
};
zone "oliverhenry.net" {
  type master;
  file "/etc/bind/oliverhenry.db";
};
zone "chiappa-blanco.com" {
  type master;
  file "/etc/bind/chiappablanco.db";
};
//zone "bostoncommoners.org" {
//  type master;
//  file "/etc/bind/bcfc.db";
//};
      
//zone "barelyunited.org" {
//  type master;
//  file "/etc/bind/barelyunited.db";
//};
            
//zone "i-still-live.org" {
//  type master;
//  file "/etc/bind/istilllive.db";
//};
                  
//zone "naan.org" {
//   type master;
//   file "/etc/bind/naan.db";
//};
                  
zone "roboticschick.org" {
  type master;
  file "/etc/bind/robochick.db";
};
zone "laurelriek.org" {
  type master;
  file "/etc/bind/laurel.db";
};
//zone "tropnevad.org" {
//   type slave;
//   file "tropnevad.ca";
//   masters {
//      66.92.66.179;
//   };
//};
//zone "media-pipe.com" {
//  type master;
//  file "/etc/bind/mediapipe.db";
//};
//zone "waterbedband.com" {
//  type master;
//  file "/etc/bind/waterbedband.db";
//};
zone "bigw.org" {
  type slave;
  file "bigw.ca";
  masters {
    50.244.203.196;
  };
};

/etc/bind/named.conf.options changed:
acl "good-guys" {
        10.1/16;
        127/8;
        localhost;
//      72.93.243.58;
//      72.93.243.59;
//      72.93.243.60;
//      71.174.62.45;
//        74.104.148.229;
        108.7.58.73;
        71.19.149.58; // cirrus
        2605:2700:0:5::4713:953a;
        71.19.144.99; // stratus
        2605:2700:0:2::4713:9063;
};
options {
        directory "/var/cache/bind";
        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.
        // forwarders {
        //      0.0.0.0;
        // };
        auth-nxdomain no;    # conform to RFC1035
        //listen-on-v6 { any; };
        allow-transfer  { "good-guys"; };
        allow-query     { any; };
        allow-recursion { "good-guys"; };
        dnssec-validation no;
        statistics-file "/var/run/named/named.stats";
};


-- debconf information:
  bind9/different-configuration-file:
  bind9/run-resolvconf: false
  bind9/start-as-user: bind

--- End Message ---

--- Begin Message ---

Source: bind9
Source-Version: 1:9.20.8-2
Done: Ondřej Surý <ond...@debian.org>

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 17 Apr 2025 18:49:10 +0200
Source: bind9
Architecture: source
Version: 1:9.20.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <team+...@tracker.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Closes: 995310 1054314
Changes:
 bind9 (1:9.20.8-2) unstable; urgency=medium
 .
   * Validate configuration file before service restart
     (Closes: #995310, #1054314)
Checksums-Sha1:
 6074635b45d2091b29d15deba6b6be959fd13d19 3158 bind9_9.20.8-2.dsc
 17ce462d43dc96a7f8da9cc930971adcb8a3d1fd 60060 bind9_9.20.8-2.debian.tar.xz
 01e445a855812446605ede8ea011804325ca7bcd 14631 bind9_9.20.8-2_amd64.buildinfo
Checksums-Sha256:
 22764f391224e697694a64e564d6478b837b97f5338b2a8b632a113288559700 3158 
bind9_9.20.8-2.dsc
 9279f745bba059fe425018fb0daac99f12aab3f1255c93813ce9e5e76c818267 60060 
bind9_9.20.8-2.debian.tar.xz
 7ed5824b3e4cf193c9d47acf6fae9b934066cbc0161bc241a8f92fa52942fd56 14631 
bind9_9.20.8-2_amd64.buildinfo
Files:
 2a2818f5d626e15e2f5f279b1c9a67d8 3158 net optional bind9_9.20.8-2.dsc
 818854446d3762b953f92c33911f0bd1 60060 net optional 
bind9_9.20.8-2.debian.tar.xz
 7124154163dc16ca3205bb06c7d167c3 14631 net optional 
bind9_9.20.8-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKSBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmgBTOxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJEsA/3SxtdnKBygtyeb0CJOdQt+tQII9oFI8Vi6emEXBGTlPO8la0R3s11JqHF
LZF2s6NU+sLI+xmxWIIMBbpt1+ncXDIaBCeIRoFWUj4QB7ZfP813rP/7rOh9/vSt
p2/qnXYWK/HhFmu9C3XYDWOS3cKHfNUEhx71oxRWgoRC/gzPzTUHqx77gswQpTJw
h/5XsHOBkPYY335vRWpzcY/0HKVLs6uUWQyg74AVrvqUUIJp6GOIC0sJzgRa7+qC
+OD2GwSkmb2hfyZPHAUjppX0kH+1810LbYzf+yFCks+7Pz4EVrKtCUHZImhyusl/
FuR1zFYwaDFKZQ9HovtCzGPV/4nhSZa4hEUL4tJNa+Asve4NmkeleLBhLj+PDoYD
MjuFIsZ53ug6T/V3lHywo5oXlWhpEUVXytMBMdbAY+ALFIM40sGctB2TTgiLEfcD
I06fXoziU4a9r7CDSNB2ZXuPsvDxD8DoDcKhMU9+U7z7r3NTgq3g0MACe/LRVh9x
u5yrQfOPSt/1lpra6QNcwuH4iv9bje3I35pDtQr6vsw3j1N4Xv8puH8A9eyxbTuq
UkGBVxe/S5wNQtmJ9oWJGNI7nZkTu1NNBaAofaQcwi1beFIn6K2aAi1WavsT0eFi
TWPduZ1p9k1zs9knG4Bc7EB6E/DLlHYI3TBgF6jThMfwF/vARw==
=sY9r
-----END PGP SIGNATURE-----

pgpwVPqgG3_G0.pgp
Description: PGP signature

--- End Message ---