Report information
The Basics
Id:
46410
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
BugTracker
Version Fixed:
9.12.0, 9.11.3, 9.10.7, 9.9.12
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
bug
Dates
Created:Thu, 26 Oct 2017 13:58:37 -0400
Updated:Sun, 29 Oct 2017 23:09:33 -0400
Closed:Sun, 29 Oct 2017 23:09:33 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 26 Oct 2017 13:58:38 -0400 Evan Hunt <Evan_Hunt@isc.org> - Ticket created
Date: Thu, 26 Oct 2017 17:58:37 +0000
From: Evan_Hunt@isc.org
To: bind9-public@isc.org
Subject: should dlv.isc.org be a nonfatal warning?

I got an angry message from someone trying 9.12.0b1 who spent an hour trying to figure out why his server wouldn't start. It turned out to be because configuring lookaside with dlv.isc.org is fatal now. There was some kind of syslog problem that prevented him from seeing the error message right away. On the one hand, syslog problems aren't our responsibility, and he could have lost less time if he'd known to run "named -g". Still, he's got a point: if you're experimenting with a new release, you're going to try it with your existing configuration, and it's unsettling if it fails, and makes you feel less inclined to upgrade. Do we *need* to break ISC DLV lookaside configurations? If so, why? If not, let's change it back to a warning.
  Thu, 26 Oct 2017 14:02:18 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

> Do we *need* to break ISC DLV lookaside configurations? If so, why? > If not, let's change it back to a warning. Additional thought: In addition to warning, we can ignore the lookaside configuration, so the server behavior would be the same as if they'd removed it from their config file.
Thu, 26 Oct 2017 14:02:19 -0400 The RT System itself - Status changed from 'new' to 'open'
  Thu, 26 Oct 2017 14:20:44 -0400 Vicky Risk <vicky@isc.org> - Correspondence added
Date: Thu, 26 Oct 2017 11:22:22 -0700
From: "Victoria Risk" <vicky@isc.org>
To: bind9-public@isc.org
Subject: Re: [ISC-Bugs #46410] should dlv.isc.org be a nonfatal warning?



On Oct 26, 2017, at 11:02 AM, Evan Hunt via RT <bind9-public@isc.org> wrote:


Do we *need* to break ISC DLV lookaside configurations?  If so, why?
If not, let's change it back to a warning.

Additional thought: In addition to warning, we can ignore the lookaside
configuration, so the server behavior would be the same as if they'd removed
it from their config file.

that is an even better idea. A lot of ppl will have this in their configuration and won’t know or care about it.

Victoria Risk
Product Manager
Internet Systems Consortium





  Thu, 26 Oct 2017 18:47:07 -0400 Mark Andrews <marka@isc.org> - Correspondence added
To: bind9-public@isc.org
From: "Mark Andrews" <marka@isc.org>
Date: Fri, 27 Oct 2017 09:46:39 +1100
Subject: Re: [ISC-Bugs #46410] should dlv.isc.org be a nonfatal warning?

In message <rt-4.4.1-82815-1509040718-1288.46410-3-0@isc.org>, "Evan Hunt via RT" writes: > > I got an angry message from someone trying 9.12.0b1 who spent an hour trying > to figure out why his server wouldn't start. It turned out to be because > configuring lookaside with dlv.isc.org is fatal now. There was some kind of > syslog problem that prevented him from seeing the error message right away. > > On the one hand, syslog problems aren't our responsibility, and he could have > lost less time if he'd known to run "named -g". Still, he's got a point: > if you're experimenting with a new release, you're going to try it with your > existing configuration, and it's unsettling if it fails, and makes you feel > less inclined to upgrade. > > Do we *need* to break ISC DLV lookaside configurations? If so, why? If not, > let's change it back to a warning. 9.12.0 is a .0 release. This is the point where we break things if we are going to break things. 9.{9,10,11}.x is (or should be) a warning. They also didn't even run named-checkconf. [rock:bin/tests/system] marka% named-checkconf /etc/named.cache.conf /etc/named.cache.conf:56: dlv.isc.org has been shut down [rock:bin/tests/system] marka% echo $? 1 [rock:bin/tests/system] marka% We provide the tools for people to test the configuration. Or read the release notes that state it is a fatal configuration error. <itemizedlist> <listitem> <para> The ISC DNSSEC Lookaside Validation (DLV) service has been shut down; all DLV records in the dlv.isc.org zone have been removed. References to the service have been removed from BIND documentation. Lookaside validation is no longer used by default by <command>delv</command>. The DLV key has been removed from <filename>bind.keys</filename>. Setting <command>dnssec-lookaside</command> to <command>auto</command> or to use dlv.isc.org as a trust anchor is now a fatal configuration error. [RT #46155] </para> </listitem> Or CHANGES 4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv - "dnssec-lookaside auto" and configuration of "dnssec-lookaide" with dlv.isc.org as trust anchor are both now fatal errors. [RT #46155] This all said we could make it just a warning. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
  Fri, 27 Oct 2017 05:45:12 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

How about: - If dnssec-lookaside is configured as either auto or explicitly using dlv.isc.org, disable it and log a warning - if dnssec-lookaside is explicitly configured using another server, log this during start-up (mentioning that the configuration is permitted because it does not use dlv.isc.org) ?
  Fri, 27 Oct 2017 12:39:31 -0400 Evan Hunt <each@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #46410] should dlv.isc.org be a nonfatal warning?
Date: Fri, 27 Oct 2017 16:39:29 +0000
From: "Evan Hunt" <each@isc.org>
To: "Cathy Almond via RT" <bind9-public@isc.org>

> - if dnssec-lookaside is explicitly configured using another server, log this during start-up (mentioning that the configuration is permitted because it does not use dlv.isc.org) This seems excessively noisy to me. We disabled isc.dlv.org, not the lookaside feature; if they have a different domain, then they're just using a feature correctly.
Fri, 27 Oct 2017 17:48:14 -0400 Mark Andrews <marka@isc.org> - Area feature changed to bug
Fri, 27 Oct 2017 17:48:14 -0400 Mark Andrews <marka@isc.org> - Severity S2 Normal added
Fri, 27 Oct 2017 17:48:14 -0400 Mark Andrews <marka@isc.org> - Priority P2 Normal added
  Fri, 27 Oct 2017 17:48:14 -0400 Mark Andrews <marka@isc.org> - Correspondence added

ready for review
Fri, 27 Oct 2017 17:48:15 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'review'
  Sat, 28 Oct 2017 02:38:45 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Looks fine.
Sat, 28 Oct 2017 02:38:47 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
  Sun, 29 Oct 2017 23:09:32 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Mark has committed this now, I'm resolving the ticket. Thanks. 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . trust-anchor dlv.isc.org;' now elicit warnings rather than being fatal configuration errors. [RT #46410] 9.12.0, 9.11.3, 9.10.7, 9.9.12
Sun, 29 Oct 2017 23:09:33 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'resolved'
Sun, 29 Oct 2017 23:09:33 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0, 9.11.3, 9.10.7, 9.9.12 added