Message-ID: content-type: TEXT/PLAIN; charset="utf-8" From: "Tony Finch" Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 6E593D78AFF for ; Wed, 6 Sep 2017 22:09:43 +0000 (UTC) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 6D04734B962 for ; Wed, 6 Sep 2017 22:09:38 +0000 (UTC) Received: from grey.csi.cam.ac.uk ([131.111.57.57]:40274) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1dpiVr-0002Z6-1O (Exim 4.89) (return-path ); Wed, 06 Sep 2017 23:09:35 +0100 Return-Path: CC: "Tony Finch" X-Cam-Antivirus: no malware found X-RT-Incoming-Encryption: Not encrypted Subject: conflicting zones make catz crash User-Agent: Alpine 2.11 (DEB 23 2013-08-11) From dot@dotat.at Wed Sep 6 22:09:43 2017 MIME-Version: 1.0 Date: Wed, 6 Sep 2017 23:09:33 +0100 Delivered-To: bind9-confidential@bugs.isc.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.0 To: bind9-bugs@isc.org X-Original-To: bind9-confidential@bugs.isc.org X-Cam-Scannerinfo: http://help.uis.cam.ac.uk/email-scanner-virus X-RT-Original-Encoding: ascii X-RT-Interface: Email Content-Length: 1908 I was trying an experiment to see what happens if I have an explicitly configured zone which is also listed in a catalog zone. e.g. initial config snippet catalog-zones { zone "catz.arpa.cam.ac.uk" zone-directory "/zs"; }; zone catz.arpa.cam.ac.uk { type slave; file "/zs/catz.arpa.cam.ac.uk"; masters { ucam; }; }; The catz has an entry for 10.in-addr.arpa. I add the following to named.conf zone 10.in-addr.arpa { type master; file "/zm/ten"; allow-query { cudn; }; }; then `rndc reconfig` says rndc: 'reconfig' failed: already exists and named logs: 2017-09-06.22:55:55.573 config: error: /etc/named.conf:202: zone '30.172.in-addr.arpa' already exists 2017-09-06.22:55:55.573 general: error: reloading configuration failed: already exists OK, I delete the zone 10 configuration clause, and run `rndc reconfig` again. named logs up to: 2017-09-06.22:56:04.490 general: info: automatic empty zone: view rec: EMPTY.AS112.ARPA 2017-09-06.22:56:04.490 config: warning: /etc/named.conf:192: catz: catalog zone 'catz.arpa.cam.ac.uk' will not be reconfigured then crashes :-( The wider question is what should happen when there is a conflict like this. For instance, we also act as a secondary for Imperial College, so it would be handy to use a catalog zone to do that. But I don't want to have to trust them not to break our servers by adding a cam.ac.uk zone. So ideally, I think explicitly configured zones should override / shadow zones listed in a catalog. And if there are multiple catalog zones, there should have a priority order so that zones listed in a higher priority catalog will override / shadow zones in a lower priority catalog. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Biscay: Westerly or northwesterly 3 or 4, occasionally 5 in north. Moderate, occasionally rough in north. Mainly fair. Good.