Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

2025-03-26 Thread Ben Scott

  I have been running BIND chroot'ed since before there was a systemd.  I have 
a vague memory of having to, at some point, change the systemd unit for named 
from "Type=notify" to "Type=forking".  My memory is not what it used to be, but 
I am fairly sure I was running named through Debian's standard systemd unit for 
some time, before I needed to make that change.  So I think something changed 
at some point, breaking a configuration that used to work.

  It is possible the change in question was Debian introducing the patch to add 
systemd-notify support to BIND 9.18.  (That is not in vanilla BIND 9.18.)

  If it helps, this is my /etc/systemd/system/named.service.d/override.conf 
file (as of Debian 12 bookworm):

[Service]
Type=forking
PrivateTmp=false
ExecStart=
ExecStart=/usr/sbin/named $OPTIONS
PIDFile=/srv/dns/run/named.pid

  The first (blank) ExecStart tells systemd to clear the stock ExecStart 
declaration, rather than adding to it.  And $OPTIONS is "-u bind -t /srv/dns" 
per /etc/default/named file.

  -- Ben

-- 
Any opinions expressed in this message are those of the author alone.
All information is provided without warranty of any kind.

- Original Message -
> From: "Michal Nowak" 
> To: "bind-users" 
> Sent: Tuesday, March 25, 2025 1:09:36 PM
> Subject: Re: isc-bind service shutdown after update at 9.20.7-1.2.el8

> Hi,
> 
> I can reproduce your problem when I setup chroot.
> 
> Tho, I think this is the expected behaviour unless you setup the systemd
> notify socket inside the chroot. See the following guide for how to do
> it https://kb.leuxner.net/article/bind-sd_notify-chroot/ (haven't tried
> it myself), or resort to what already works for you, i.e., Type=forking
> and the removal of the "-f" option from the unit file.
> 
> > What is the impact of not using the " Type=notify" and »"-f" on my
> system?
> 
> There's no impact. It works.
> 
> Michal
> 
> On 24/03/2025 16:44, Langlois Joël wrote:
>> Hello,
>> 
>>  Thanks for your reply, this help me to point in the good direction! The 
>> problem
>>  is in the startup file for the service
>>  /usr/lib/systemd/system/isc-bind-named.service  (this file is modify by 
>> the
>>  9.20.7 update). When i try to use the option "Type=notify" or the 
>> option "-f"
>>  (ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f) the 
>> service
>>  "isc-bind-named" does not want to start and i have the same error like 
>> in my
>>  fisrt email (netmgr 0x7f741ea7b1e0: Shutting down network manager 
>> etc).
>>  When i put back the old option (Type=forking) and no "-f" in the 
>> ExcStart line,
>>  everything work like a charm!
>> 
>> I am using "selinux" (i tried to desactivate it with no success for bind)  
>> and i
>> have a chroot (/var/named/chroot) environement on my system since many years
>> and i never had that kind of trouble before.  What is the impact of not using
>> the " Type=notify" and »"-f" on my system?
>> 
>> Config file that is running well:
>> =
>> [root@sdns_server]# cat /usr/lib/systemd/system/isc-bind-named.service
>> [Unit]
>> After=network.target
>> Wants=nss-lookup.target
>> Before=nss-lookup.target
>> 
>> [Service]
>> Type=notify
>> EnvironmentFile=-/etc/opt/isc/scls/isc-bind/sysconfig/named
>> PIDFile=/var/named/chroot/run/named/named.pid
>> ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named $OPTIONS
>> ExecReload=/bin/kill -HUP $MAINPID
>> ExecStop=/bin/kill -TERM $MAINPID
>> PrivateTmp=true
>> 
>> [Install]
>> WantedBy=multi-user.target
>> 
>> 
>> [root@dns_server]# cat /etc/opt/isc/scls/isc-bind/sysconfig/named
>> # Command line options passed to named
>> OPTIONS="-4 -t /var/named/chroot"
>> 
>> 
>> Thanks a lot for your help!
>> 
>> --
>> Joel Langlois
>> 
>> 
>> -Message d'origine-
>> De : bind-users  De la part de Michal Nowak
>> Envoyé : 24 mars 2025 09:06
>> À : bind-users@lists.isc.org
>> Objet : Re: isc-bind service shutdown after update at 9.20.7-1.2.el8
>> 
>> ATTENTION : Ce courriel provient d'une source externe. Assurez-vous que cette
>> dernière est sûre avant d'ouvrir une pièce jointe ou de cliquer sur un lien.
>> Dans le doute, signalez le message.
>> 
>> 
>> For BIND 9.20.7 and 9.21.6 we changed the service type from "forking" to
>> "notify", also ExecStart now has the "-f" option:
>> 
>> -[Service]
>> -Type=forking
>> -ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named
>> +[Service]
>> +Type=notify
>> +ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f
>> 
>> Could you please give us the output of "systemctl status 
>> isc-bind-named.service"
>> a few seconds after the service started? I'd be surprised to find it in the
>> "Active: active (running)" state.
>> 
>> I failed to reproduce your problem on a clean Rocky Linux 8.10.
>> 
>> Michal
>> 
>> On 21/03/2025 20:43, Langlois Joël via bind-users wrote:
>>> Hi everyone,
>>>
>>> After updating my isc-bind packages from 9.20.6-1.2 to
>>> 9.20.7-1.2,

Cannot import keys into dnssec-policy

2025-03-26 Thread Nguyen Thi Minh Tam via bind-users
"Hi, I'm trying version 9.18.31.

According to the post on https://kb.isc.org/docs/dnssec-key-and-signing-policy, 
the policy normally generates keys when they are needed. However, we can 
generate the DNSSEC keys ourselves first, and when the policy requires a new 
key, it will select the one we created.

There is even an example in that post.

So, I followed that approach. I generated a new key that matches the policy and 
placed it in the key directory. However, when it was time to roll the key, my 
key was retired, and the policy generated a new one instead.

Here is my policy:"


dnssec-policy "hosting key" {
dnskey-ttl PT1M;
keys{
ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
zsk key-directory lifetime P30D algorithm RSASHA256 2048;
};


And i run this command to generate the next key:

dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
i even tried
dnssec-keygen -k "hosting key" -l /etc/named.conf -K /data/keys/policy.com/ 
policy.com

so im pretty sure the new key matches the policy. But still, they all got 
retired.

Plz help.

Best regards,
Tam

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users