Bug #46875 for bind9-public: rndc zonestatus type is wrong for bump-in-the-wire signed zone

Tue, 19 Dec 2017 02:59:34 -0500 Klaus Darilion <klaus.darilion@nic.at> - Ticket created

Subject:	rndc zonestatus type is wrong for bump-in-the-wire signed zone
Date:	Tue, 19 Dec 2017 07:59:23 +0000
To:	"bind9-bugs@isc.org" <bind9-bugs@isc.org>
From:	"Klaus Darilion" <klaus.darilion@nic.at>

As you can see below, the zone is configured as type slave, but zonestatus reports the zone as master.

Thanks

Klaus

# /dns/bind/current/sbin/named -V

BIND 9.11.2 <id:0a2b929>

running on Linux x86_64 3.13.0-100-generic #147-Ubuntu SMP Tue Oct 18 16:48:51 UTC 2016

built by make with '--prefix=/dns/bind/9.11.2' '--enable-threads' '--enable-static' '--enable-ipv6=yes' '--with-openssl=yes' '--with-gssapi=no' '--enable-rrl' 'CFLAGS=-g'

compiled by GCC 4.8.4

compiled with OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014

linked to OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014

compiled with libxml2 version: 2.9.1

linked to libxml2 version: 20901

compiled with zlib version: 1.2.8

linked to zlib version: 1.2.8

threads support is enabled

# cat /var/cache/bind/3bf305731dd26307.nzf | sed 's/zone /\nzone /g'|grep affe.space

zone "affe.space" { type slave; file "/etc/bind/zones/a/affe.space/affe.space"; masters { 62.116.130.19; }; auto-dnssec maintain; dnssec-dnskey-kskonly no; inline-signing yes; key-directory "/etc/bind/keys/a/affe.space"; };

# rndc zonestatus affe.space

name: affe.space

type: master

files: /etc/bind/zones/a/affe.space/affe.space

serial: 2016061100

signed serial: 2016061136

nodes: 1

last loaded: Mon, 04 Dec 2017 10:24:17 GMT

secure: yes

inline signing: yes

key maintenance: automatic

next key event: Tue, 19 Dec 2017 08:29:27 GMT

next resign node: affe.space/TYPE65534

next resign time: Tue, 26 Dec 2017 21:30:02 GMT

dynamic: yes

frozen: no

reconfigurable via modzone: yes

--

PS: Every Secondary Counts

https://www.youtube.com/watch?v=y0if6D6IC4o

Wed, 03 Jan 2018 02:20:04 -0500 Mark Andrews <marka@isc.org> - Area bug added

Wed, 03 Jan 2018 02:20:04 -0500 Mark Andrews <marka@isc.org> - Severity S2 Normal added

Wed, 03 Jan 2018 02:20:04 -0500 Mark Andrews <marka@isc.org> - Priority P2 Normal added

Wed, 03 Jan 2018 02:20:04 -0500 Mark Andrews <marka@isc.org> - Correspondence added

ready for review

Wed, 03 Jan 2018 02:20:05 -0500 The RT System itself - Status changed from 'new' to 'open'

Wed, 03 Jan 2018 02:20:06 -0500 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'review'

Wed, 03 Jan 2018 02:20:06 -0500 Mark Andrews <marka@isc.org> - Queue changed from #6 to bind9-public

Wed, 03 Jan 2018 16:49:00 -0500 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

I silenced a spurious compiler warning that maybe raw could be used uninitialized, and put brackets around the one-line if statements while I was there. What's there is okay, and can be committed, but it occurs to me it's incomplete. We have expiry and refresh timers being reported only for the signed zone, but if the raw zone is type slave then we should have it reported for both, the way we currently do with serial numbers. Filename, node count, and load time should probably also be reported for both raw and signed (when applicable). And it wouldn't hurt to include the journal file name, too, which isn't reported for either side now. Perhaps these changes should be in 9.13 only though.

Wed, 03 Jan 2018 16:49:01 -0500 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>

Wed, 03 Jan 2018 17:08:31 -0500 Mark Andrews <marka@isc.org> - Correspondence added

Date:	Thu, 4 Jan 2018 09:07:53 +1100
From:	"Mark Andrews" <marka@isc.org>
To:	bind9-public@isc.org
Subject:	Re: [ISC-Bugs #46875] rndc zonestatus type is wrong for bump-in-the-wire signed zone

> On 4 Jan 2018, at 8:49 am, Evan Hunt via RT <bind9-public@isc.org> wrote: > > I silenced a spurious compiler warning that maybe raw could be used > uninitialized, and put brackets around the one-line if statements while I > was there. > > What's there is okay, and can be committed, but it occurs to me it's > incomplete. We have expiry and refresh timers being reported only for > the signed zone, but if the raw zone is type slave then we should have it > reported for both, the way we currently do with serial numbers. They don’t make sense for the signed zone. s/zone/mayberaw/ > Filename, node count, and load time should probably also be reported for > both raw and signed (when applicable). And it wouldn't hurt to include the > journal file name, too, which isn't reported for either side now. > > Perhaps these changes should be in 9.13 only though. > > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=46875 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Wed, 03 Jan 2018 17:16:04 -0500 Evan Hunt <each@isc.org> - Correspondence added

Date:	Wed, 3 Jan 2018 22:16:02 +0000
CC:
To:	"Mark Andrews via RT" <bind9-public@isc.org>
From:	"Evan Hunt" <each@isc.org>
Subject:	Re: [ISC-Bugs #46875] rndc zonestatus type is wrong for bump-in-the-wire signed zone

On Wed, Jan 03, 2018 at 10:08:32PM +0000, Mark Andrews via RT wrote: > > What's there is okay, and can be committed, but it occurs to me it's > > incomplete. We have expiry and refresh timers being reported only for > > the signed zone, but if the raw zone is type slave then we should have it > > reported for both, the way we currently do with serial numbers. > > They don’t make sense for the signed zone. s/zone/mayberaw/ That was my first thought, but I think those values are actually potentially meaningful (even if only in an error condition) for the signed zone too. We could switch to reporting from mayberaw in the existing code, but change to a more detailed output format in 9.13.

Wed, 03 Jan 2018 18:06:47 -0500 Mark Andrews <marka@isc.org> - Correspondence added

From:	"Mark Andrews" <marka@isc.org>
Date:	Thu, 4 Jan 2018 10:06:30 +1100
Subject:	Re: [ISC-Bugs #46875] rndc zonestatus type is wrong for bump-in-the-wire signed zone
To:	bind9-public@isc.org

> On 4 Jan 2018, at 9:16 am, Evan Hunt via RT <bind9-public@isc.org> wrote: > > On Wed, Jan 03, 2018 at 10:08:32PM +0000, Mark Andrews via RT wrote: >>> What's there is okay, and can be committed, but it occurs to me it's >>> incomplete. We have expiry and refresh timers being reported only for >>> the signed zone, but if the raw zone is type slave then we should have it >>> reported for both, the way we currently do with serial numbers. >> >> They don’t make sense for the signed zone. s/zone/mayberaw/ > > That was my first thought, but I think those values are actually > potentially meaningful (even if only in an error condition) for > the signed zone too. > > We could switch to reporting from mayberaw in the existing code, > but change to a more detailed output format in 9.13. They do not make sense for a master zone as those timers are not in use in that form of the zone. They only make sense to be reported for the raw slave zone. > -- > Ticket History: https://bugs.isc.org/Ticket/Display.html?id=46875 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Wed, 03 Jan 2018 18:40:04 -0500 Mark Andrews <marka@isc.org> - Version Fixed 9.10.7, 9.10.7(sub), 9.11.3, 9.12.1, 9.13.0 added

Wed, 03 Jan 2018 18:40:04 -0500 Mark Andrews <marka@isc.org> - Correspondence added

4856. [bug] 'rndc zonestatus' reported the wrong underlying type for a inline slave zone. [RT #46875]

Wed, 03 Jan 2018 18:40:06 -0500 Mark Andrews <marka@isc.org> - Status changed from 'review' to 'resolved'

Wed, 03 Jan 2018 18:40:06 -0500 Mark Andrews <marka@isc.org> - Untaken

Thu, 04 Jan 2018 03:52:44 -0500 Klaus Darilion <klaus.darilion@nic.at> - Correspondence added

To:	"bind9-public@isc.org" <bind9-public@isc.org>
From:	"Klaus Darilion" <klaus.darilion@nic.at>
Date:	Thu, 4 Jan 2018 08:52:34 +0000
Subject:	AW: [ISC-Bugs #46875] rndc zonestatus type is wrong for bump-in-the-wire signed zone

> -----Ursprüngliche Nachricht----- > Von: Evan Hunt via RT [mailto:bind9-public@isc.org] > Gesendet: Mittwoch, 3. Jänner 2018 23:16 > An: Klaus Darilion <klaus.darilion@nic.at> > Betreff: Re: [ISC-Bugs #46875] rndc zonestatus type is wrong for bump- > in-the-wire signed zone > > On Wed, Jan 03, 2018 at 10:08:32PM +0000, Mark Andrews via RT wrote: > > > What's there is okay, and can be committed, but it occurs to me it's > > > incomplete. We have expiry and refresh timers being reported only > for > > > the signed zone, but if the raw zone is type slave then we should > have it > > > reported for both, the way we currently do with serial numbers. > > > > They don’t make sense for the signed zone. s/zone/mayberaw/ > > That was my first thought, but I think those values are actually > potentially meaningful (even if only in an error condition) for > the signed zone too. > > We could switch to reporting from mayberaw in the existing code, > but change to a more detailed output format in 9.13. Some comment from a user: I actually found this issue as I was interested to find out the freshness-status of a slave zone - regardless if the zone is unsigned or "bump-in-the-wire" signed, and regardless if the zone is further slaved or not. Unfortunately the freshness status is missing total. With freshness I mean: - was the last SOA-check against the master successfull (at least 1 master if there are multiple masters) - is the slave's serial identical to the master's serial? - was the last XFR try successful? I want to know if there is a problem between master and slave bevore noticing that the zone expired. And this is currently not exposed to "zonestatus". Watching the logfile is cumbersome and may reports false positive if there are transitional communication problems. Shall I open a "feature request"? Thanks Klaus

Thu, 04 Jan 2018 03:52:45 -0500 The RT System itself - Status changed from 'resolved' to 'open'

Created:	Tue, 19 Dec 2017 02:59:34 -0500
Updated:	Thu, 04 Jan 2018 03:52:45 -0500
Closed:	Wed, 03 Jan 2018 18:40:05 -0500

Bug #46875 for bind9-public: rndc zonestatus type is wrong for bump-in-the-wire signed zone

This bug tracker is no longer active.