Package: bind9
Version: 1:9.7.1.dfsg.P2-2
Severity: important
Hello
I run a fully DNSSEC, Dynamic Update, IPv6 enabled bind.
I use bind for a rbl blacklist, so there are a lot of updates and requests to a
signed zone.
I did use the same setup on lenny, and no problems occured.
After upgrading to squeeze, my bind9 freezes about once or twice a week.
Proccess is still present, but does not react to queries, nor to updates nor to
rndc commands.
It connot be normaly killed. A kill -9 and restart ist the only fix.
Any ideas?
-Benoit-
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bind9 depends on:
ii adduser 3.112 add and remove users and groups
ii bind9utils 1:9.7.1.dfsg.P2-2 Utilities for BIND
ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii libbind9-60 1:9.7.1.dfsg.P2-2 BIND9 Shared Library used by BIND
ii libc6 2.11.2-6+squeeze1 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libdns66 1:9.7.1.dfsg.P2-2 DNS Shared Library used by BIND
ii libgssapi-krb5-2 1.8.3+dfsg-2 MIT Kerberos runtime libraries - k
ii libisc60 1:9.7.1.dfsg.P2-2 ISC Shared Library used by BIND
ii libisccc60 1:9.7.1.dfsg.P2-2 Command Channel Library used by BI
ii libisccfg60 1:9.7.1.dfsg.P2-2 Config File Handling Library used
ii libldap-2.4-2 2.4.23-6 OpenLDAP libraries
ii liblwres60 1:9.7.1.dfsg.P2-2 Lightweight Resolver Library used
ii libssl0.9.8 0.9.8o-2 SSL shared libraries
ii libxml2 2.7.7.dfsg-4 GNOME XML library
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii net-tools 1.60-23 The NET-3 networking toolkit
ii netbase 4.42 Basic TCP/IP networking system
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind9-doc <none> (no description available)
ii dnsutils 1:9.7.1.dfsg.P2-2 Clients provided with BIND
pn resolvconf <none> (no description available)
pn ufw <none> (no description available)
-- Configuration Files:
/etc/bind/bind.keys [Errno 2] Datei oder Verzeichnis nicht gefunden:
u'/etc/bind/bind.keys'
/etc/bind/named.conf changed:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
/etc/bind/named.conf.default-zones [Errno 2] Datei oder Verzeichnis nicht
gefunden: u'/etc/bind/named.conf.default-zones'
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
logging {
channel "querylog" { file "/var/log/bind/bind9-query.log" versions 3
size 100m; print-time yes; };
category queries { querylog; };
channel "dnssec_log" { file "/var/log/bind/bind9-dnssec.log" versions
3 size 20m; print-time yes; print-category yes; print-severity yes; severity
debug 3; };
category dnssec { dnssec_log; };
};
// include "/etc/bind/trusted.keys";
include "/etc/bind/rndc.key";
managed-keys {
"." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
// Trusted Networks:
acl "trusted" {
192.168.57.0/24;
157.161.57.0/27;
157.161.57.64/26;
157.161.4.0/24;
127.0.0.1;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
// add entries for other zones below here
// ======== WOODY ==========
//zone "128-27.194.238.80.in-addr.arpa" {
// type master;
// file "woody.ch.rev";
// allow-update {
// 80.238.194.128/27;
// ::ffff:80.238.194.128/27;
// ::1/128;
// 2001:08e0:abcd:16::/64;
// };
//};
zone "57.168.192.in-addr.arpa" {
type master;
file "57.168.192.in-addr.arpa.rev.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
127.0.0.1;
::ffff:157.161.57.0/27;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
};
zone "0-31.57.161.157.in-addr.arpa" {
type master;
file "woody.ch.rev.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
127.0.0.1;
::ffff:157.161.57.0/27;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
};
zone "64-79.57.161.157.in-addr.arpa" {
type master;
file "woody.ch.rev2.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
127.0.0.1;
::ffff:157.161.57.0/27;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
};
zone "144.161.157.in-addr.arpa" {
type master;
file "144.161.157.in-addr.arpa.rev.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
127.0.0.1;
::ffff:157.161.57.0/27;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
};
zone "d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa" {
type master;
file "d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa.signed";
allow-update { trusted; };
};
zone "woody.ch" {
type master;
file "woody.ch.hosts.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
::ffff:157.161.57.0/27;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
};
};
zone "FAX" {
type master;
file "FAX.hosts";
};
zone "blacklist.woody.ch" {
type master;
file "blacklist.woody.ch.hosts.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
157.161.4.0/24;
};
};
zone "panizzon.ch" {
type master;
file "panizzon.ch.hosts.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
157.161.4.0/24;
};
};
zone "panizzon.com" {
type master;
file "panizzon.com.hosts.signed";
allow-update {
157.161.57.0/27;
157.161.57.64/26;
::1/128;
2001:4060:dead:beef::/64;
2001:4060:dead:babe::/64;
2001:4060:1:4133::/64;
157.161.4.0/24;
};
};
// ========== RAX ===============
zone "rax.ch" {
type slave;
file "rax.ch.zone";
masters {
157.161.175.200;
157.161.6.10;
};
};
zone "kinglouis.ch" {
type slave;
file "kinglouis.ch.zone";
masters {
157.161.175.200;
};
};
// ========== SCOUTNET ==========
zone "scoutnet.org" {
type slave;
file "scoutnet.org.zone";
masters {
157.161.6.10;
};
};
zone "scoutnet.ch" {
type slave;
file "scoutnet.ch.zone";
masters {
157.161.6.10;
};
};
zone "scoutnet.fi" {
type slave;
file "scoutnet.fi.zone";
masters {
194.29.198.200;
};
};
zone "partiolaiset.com" {
type slave;
file "partiolaiset.com.zone";
masters {
194.29.198.200;
};
};
// ========== SCOUTLINK =========
zone "scoutlink.ch" {
type slave;
file "scoutlink.ch.zone";
masters {
157.161.6.10;
};
};
/*
zone "scoutlink.be" {
type slave;
file "scoutlink.be.zone";
masters {
94.75.211.134;
157.161.6.250;
};
};
*/
zone "scoutlink.net" {
type slave;
file "scoutlink.net.zone";
masters {
94.75.211.134;
89.238.76.88;
};
};
zone "scoutlink.org" {
type slave;
file "scoutlink.org.zone";
masters {
94.75.211.134;
89.238.76.88;
};
};
// ============ MOWGLI ============
zone "mowgli.ch" {
type slave;
file "mowgli.ch.zone";
notify no;
allow-transfer {"none";};
masters {
85.10.201.50;
};
};
zone "ethgen.de" {
type slave;
file "ethgen.de.zone";
notify no;
allow-transfer {"none";};
masters {
85.10.201.50;
};
};
/etc/bind/named.conf.options changed:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { 2001:4060:dead:beef::1; };
query-source-v6 2001:4060:dead:beef::1;
notify-source-v6 2001:4060:dead:beef::1;
allow-recursion { trusted; };
dnssec-enable yes;
dnssec-validation yes;
// dnssec-lookaside . trust-anchor dlv.isc.org.;
dnssec-lookaside auto;
key-directory "/etc/bind/keys";
};
-- debconf information:
bind9/different-configuration-file:
bind9/run-resolvconf: true
bind9/start-as-user: bind
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
