Bug#987238: bind9: inline signed zone config breaks during package upgrade

Tue, 20 Apr 2021 02:39:14 -0700 

Package: bind9
Version: 1:9.16.13-1~bpo10+1

I'm running a debian buster system, with a small number of packages
installed from buster-backports, one of them being bind9 (for the
dnssec inline signing / policy enhancements).

I'm using inline dnssec signing for some of my zones:

        zone "lespinasse.org" {
                type master;
                file "/var/lib/bind/db.lespinasse";
                dnssec-policy "secure";
        };

I have a /etc/bind/db.lespinasse zone file which I manually edit
(with regular, non-dnssec signed entries); within /var/lib/bind9
there is a db.lespinasse symlink pointing to /etc/bind/db.lespinasse,
and there are also db.lespinasse.{jkb,jnl,signed,signed.jnl} files that
are owned and updated by bind9. Overall, this setup lets me edit the
zone as a regular, non-dnssec text file; bind9 then picks it up and updates
it with signed dnssec entries as required.

This worked fine with bind9 version 1:9.16.11-2~bpo10+1, but when
upgrading to 1:9.16.13-1~bpo10+1 the /var/lib/bind9/db.lespinasse
symlink got overwritten and replaced with a bind-written text zone
file. By this, I mean that the file had the same entries as the ones I
configured in the original /etc/bind/db.lespinasse, but with different
formatting and comments removed, as bind9 would normally do when
dealing with dynamic dns zones.

The creation time for the rewritten /var/lib/bind9/db.lespinasse file
matches the package update time in /var/log/dpkg.log, so I know the issue
happened during the update.

In the end, no zone data was lost as I simply had to remove the
rewritten file, restore the desired symlink, and reload bind.


I would like to confirm wether my inline signing setup is supposed to
be a supported configuration, and if so, suggest that a test should be
added to package release scripts so that future package upgrades won't
trigger this issue again ?


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to