Control: forwarded -1 https://gitlab.isc.org/isc-projects/bind9/-/issues/2623
Hi Michel,
the issue will be fixed in the next upstream release (due to next week).
The overwrite should happen only once on the upgrade to 9.16.12 or 9.16.13,
so you should be safe to restore the symlinks meanwhile.
Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 20. 4. 2021, at 11:30, Michel Lespinasse <mic...@lespinasse.org> wrote:
>
> Package: bind9
> Version: 1:9.16.13-1~bpo10+1
>
> I'm running a debian buster system, with a small number of packages
> installed from buster-backports, one of them being bind9 (for the
> dnssec inline signing / policy enhancements).
>
> I'm using inline dnssec signing for some of my zones:
>
> zone "lespinasse.org" {
> type master;
> file "/var/lib/bind/db.lespinasse";
> dnssec-policy "secure";
> };
>
> I have a /etc/bind/db.lespinasse zone file which I manually edit
> (with regular, non-dnssec signed entries); within /var/lib/bind9
> there is a db.lespinasse symlink pointing to /etc/bind/db.lespinasse,
> and there are also db.lespinasse.{jkb,jnl,signed,signed.jnl} files that
> are owned and updated by bind9. Overall, this setup lets me edit the
> zone as a regular, non-dnssec text file; bind9 then picks it up and updates
> it with signed dnssec entries as required.
>
> This worked fine with bind9 version 1:9.16.11-2~bpo10+1, but when
> upgrading to 1:9.16.13-1~bpo10+1 the /var/lib/bind9/db.lespinasse
> symlink got overwritten and replaced with a bind-written text zone
> file. By this, I mean that the file had the same entries as the ones I
> configured in the original /etc/bind/db.lespinasse, but with different
> formatting and comments removed, as bind9 would normally do when
> dealing with dynamic dns zones.
>
> The creation time for the rewritten /var/lib/bind9/db.lespinasse file
> matches the package update time in /var/log/dpkg.log, so I know the issue
> happened during the update.
>
> In the end, no zone data was lost as I simply had to remove the
> rewritten file, restore the desired symlink, and reload bind.
>
>
> I would like to confirm wether my inline signing setup is supposed to
> be a supported configuration, and if so, suggest that a test should be
> added to package release scripts so that future package upgrades won't
> trigger this issue again ?
>
>
> -- System Information:
> Debian Release: 10.9
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
signature.asc
Description: Message signed with OpenPGP
