Problem with latest Docker image
I've been using the Docker image of v9.20 from https://hub.docker.com/r/internetsystemsconsortium/bind9 as a base image for quite some time, with no issues. However when I use the most recent image (~6/18/25), named fails to start (no error message given). I tried upping the debug level with -d 9, but there was still no error message, either in the logs or to stdout. At some point, something I did generated a named.run file, and that file ended with these two messages: config.c: option 'geoip-directory' was not enabled at compile time unable to load internal defaults: failure (But I'm not sure what I did to generate the named.run file, and I haven't been able to recreate it) I'm not using any geo capability that I know of. I haven't changed anything in my bind config files in quite some time, and it's always worked up into two days ago. Also, the v9.21 image works fine. Is there some problem with the 9.20 image, or has something changed recently that makes a previously-working configuration invalid? Also, how can I get more debugging info? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec/obsolete dns keys removal - how to?
Dear all, I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying. After a while I got a correct working setup (using the default *facepalm*). Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of. I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind. I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing. How do I get these obsolete entries removed? The working (and now current) setup is simply the default ... dnssec-policy default; key-directory "/etc/bind/zones/master/floppy-friends/rosen-roth.com-keys/"; inline-signing yes; serial-update-method increment; }; in the zone directives for the master bind. root@theater:/etc/bind# dig rosen-roth.com. DNSKEY ; <<>> DiG 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> rosen-roth.com. DNSKEY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37442 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a797dbfa0e86e303010068556a2fa1cfa1f6c89a33aa (good) ;; QUESTION SECTION: ;rosen-roth.com.IN DNSKEY ;; ANSWER SECTION: rosen-roth.com. 3600IN DNSKEY 257 3 13 CtkLyrsB5YZ7Q8xXW8xNrLrXXbVt9FlQhZN4YXtAIGZ7XhIgxca3dn5s fowG0GVA5uVU3VKmZDxg3uYOWc1KVg== rosen-roth.com. 3600IN DNSKEY 257 3 13 U04Pkg5Y4PVyVmGf1+d2nsjsCncm8uvVZ55Ci/UsOLVFJboaYw5UWMb4 LWNuBBNv/TDnlJT6fbhN+LockkW+iA== root@theater:/etc/bind# rndc dnssec -status rosen-roth.com dnssec-policy: default current time: Fri Jun 20 16:03:48 2025 key: 30519 (ECDSAP256SHA256), CSK published: yes - since Mon Jun 2 21:20:55 2025 key signing:yes - since Mon Jun 2 21:20:55 2025 zone signing: yes - since Mon Jun 2 21:20:55 2025 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: omnipresent - zone rrsig: omnipresent - key rrsig: omnipresent root@theater:/etc/bind# l zones/master/floppy-friends/rosen-roth.com-keys/ total 20 drwxrws--- 2 bind bind 4096 Jun 4 23:25 ./ drwxrwsr-x 20 root bind 4096 Jun 20 15:54 ../ -rw-r--r-- 1 bind bind 409 Jun 4 23:25 Krosen-roth.com.+013+30519.key -rw--- 1 bind bind 241 Jun 4 23:25 Krosen-roth.com.+013+30519.private -rw-r--r-- 1 bind bind 727 Jun 4 23:25 Krosen-roth.com.+013+30519.state https://dnsviz.net/d/rosen-roth.com/analyze/ shows that the key id 30519 is used as it should. But the other key 46018 exists there, signed by 30519 apparently. The 46018 is expired now, which is probably good, but how the h* do I get this thing "deleted"? I do not know where this "key" is "hiding"... I have 2 more domains, one even suffers from 4 existing keys (3 phantom). Btw, I did NOT submit those "obsolete" keys for entry in the corresponding .tld zone DS lists... Any pointers would be highly appreciated. root@theater:/etc/bind# named -version BIND 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu (Extended Support Version) (existed with the 9.20.9 as well) Florian -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec/obsolete dns keys removal - how to?
Hello, wow, that did the trick. I didn't think of this at all. It -after all- appeared to be VERY obvious. I don't know why I overlooked this possibilty. THANK YOU! Am 20.06.2025 um 19:03 schrieb Crist Clark: Do you have a .signed file that BIND created? To be 100%, shutdown named, kill that file, then restart. But removing the file and just doing an rndc reload on the zone may be enough. On Fri, Jun 20, 2025 at 7:20 AM Florian Piekert via bind-users mailto:bind-users@lists.isc.org>> wrote: Dear all, I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying. After a while I got a correct working setup (using the default *facepalm*). Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of. I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind. I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing. How do I get these obsolete entries removed? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec/obsolete dns keys removal - how to?
On 21/06/2025 05:16, Florian Piekert via bind-users wrote: Hello, wow, that did the trick. I didn't think of this at all. It -after all- appeared to be VERY obvious. I don't know why I overlooked this possibilty. THANK YOU! Am 20.06.2025 um 19:03 schrieb Crist Clark: Do you have a .signed file that BIND created? To be 100%, shutdown named, kill that file, then restart. But removing the file and just doing an rndc reload on the zone may be enough. One thing just to be aware of is that the ".signed" zone file could have had a significantly higher serial number (in SOA record) than the unsigned zone file, and deleting the file could result in the serial number changing to a lesser value, which is likely to result in any secondary servers being stuck on the old version of the zone. But it looks like you've already addressed this, because all your serial numbers match: $ dig rosen-roth.com. +nssearch SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 85.215.122.93 in 281 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 2a01:238:4381:bb00:5872:e295:9547:8ff0 in 287 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 2a01:239:0:be::1 in 291 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 85.215.122.93 in 280 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 2a01:238:43a1:8d00:3d66:3e7:a956:2430 in 283 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 81.169.217.236 in 280 ms. SOA theater.piekert.de. floppy.floppy.org. 2025061905 18000 3600 36000 3600 from server 81.169.233.252 in 283 ms. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
