Hello,
Thank you for your response.
I agree, the severity can be lowered if this is not generally reproducible.
Regarding configuration:
- The system is using the default bind9 setup on Debian 12 (bookworm),
installed via apt, no custom build
- The service is running with the default chroot directory /var/lib/bind, as
defined by the package
- The options in /etc/default/named are (nothing more):
RESOLVCONF=no
OPTIONS="-u bind -t /var/lib/bind -n 3"
- I don't want to reveal my domains publicly by sending
/etc/bind/named.conf.default-zones
- My options in /etc/bind/named.conf.options are:
options {
recursion yes;
allow-recursion { any; };
forwarders {
208.67.222.222; # OpenDNS
208.67.220.220; # OpenDNS
8.8.8.8; # Google
9.9.9.10; # Quad9
};
dnssec-validation no;
listen-on { any; };
listen-on-v6 { any; };
};
- There are no other local modifications to the bind9 configuration or service
files.
Before the security update, the service had been running without any issues for
several months. After applying the update, the repeated restarts started
immediately.
Once I added the timeout settings (RestartSec=10 and TimeoutStartSec=300) to
the systemd unit, the service has been running normally again without further
problems.
It seems that the named service should be able to start and run correctly even
with the default systemd configuration. On my system, the issue only appeared
after the security update, and adjusting the timeout values resolved the
problem.
Best regards,
Klaus.
Ondřej Surý wrote:
> Control: severity -1 important
>
> Please don't abuse the severities. This is at most important as it is not
> broken for everyone.
>
> The bugreport doesn't contain any actionable information. No logs, no
> nothing. It looks like
> the systemd notify is not working, but the question is why it does not work
> just for you.
>
> Is there anything unusual about your configuration – I mean what are the
> things that have
> been changed by you as compared to the default configuration? Are you running
> with chroot
> for example?
>
> Cheers,
> Ondrej
> --
> Ondřej Surý (He/Him)
> [email protected]
>
> > On 8. 11. 2025, at 9:04, Klaus Singvogel <[email protected]> wrote:
> >
> > Package: bind9
> > Version: 1:9.18.41-1~deb12u1
> > Severity: serious
> > Justification: Policy 9.3.1
> > X-Debbugs-Cc: [email protected]
> >
> > Dear Debian maintainers,
> >
> > After installing the recent security update
> > bind9:amd64 (1:9.18.33-1~deb12u2 → 1:9.18.41-1~deb12u1)
> > I noticed today the named service no longer starts correctly. systemd
> > restarts it continuously (about 900 times per day).
> >
> > From journalctl:
> > [...]
> > named.service: start operation timed out. Terminating.
> > [...]
> > named.service: Failed with result 'timeout'.
> >
> > Starting named manually works as flawless:
> > /usr/sbin/named -u bind -t /var/lib/bind -n 3
> >
> > The issue seems related to the systemd unit configuration. After adding the
> > following options under [Service], the service starts normally:
> > RestartSec=10
> > TimeoutStartSec=300
> > ‥and removing the line (done accidently, when debugging):
> > Type=notify
> >
> > With all these three changes the service runs at my side without an issue.
> >
> > Best regards,
> > Klaus Singvogel.
> >
> > -- System Information:
> > Debian Release: 12.12
> > APT prefers oldstable-updates
> > APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500,
> > 'oldstable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 6.1.0-40-cloud-amd64 (SMP w/8 CPU threads; PREEMPT)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> > LANGUAGE=en_US.UTF-8
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> >
> > Versions of packages bind9 depends on:
> > ii adduser 3.134
> > ii bind9-libs 1:9.18.41-1~deb12u1
> > ii bind9-utils 1:9.18.41-1~deb12u1
> > ii debconf [debconf-2.0] 1.5.82
> > ii dns-root-data 2024071801~deb12u1
> > ii init-system-helpers 1.65.2+deb12u1
> > ii iproute2 6.1.0-3
> > ii libc6 2.36-9+deb12u13
> > ii libcap2 1:2.66-4+deb12u2
> > ii libfstrm0 0.6.1-1
> > ii libjemalloc2 5.3.0-1
> > ii libjson-c5 0.16-2
> > ii liblmdb0 0.9.24-1
> > ii libmaxminddb0 1.7.1-1
> > ii libnghttp2-14 1.52.0-1+deb12u2
> > ii libprotobuf-c1 1.4.1-1+b1
> > ii libssl3 3.0.17-1~deb12u3
> > ii libsystemd0 252.39-1~deb12u1
> > ii libuv1 1.44.2-1+deb12u1
> > ii libxml2 2.9.14+dfsg-1.3~deb12u4
> > ii netbase 6.4
> > ii sysvinit-utils [lsb-base] 3.06-4
> > ii zlib1g 1:1.2.13.dfsg-1
> >
> > bind9 recommends no packages.
> >
> > Versions of packages bind9 suggests:
> > pn bind-doc <none>
> > ii bind9-dnsutils [dnsutils] 1:9.18.41-1~deb12u1
> > ii dnsutils 1:9.18.41-1~deb12u1
> > ii openresolv [resolvconf] 3.12.0-3
> > pn ufw <none>
> >
> > -- Configuration Files:
> > /etc/bind/named.conf.default-zones changed [not included]
> > /etc/bind/named.conf.local changed [not included]
> > /etc/bind/named.conf.options changed [not included]
> > /etc/default/named changed [not included]
> >
> > -- no debconf information
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27
